Re: bind breakin?

["McGraw, Stuart" <stuart () DISPLAYTECH COM>]

Hello,

Thanks for all the feedback folks!  As many pointed out
these messages were from a non-privileged user trying
to restart named.  But these messages were generated
when no one was logged in and some digging revealed
an lkm rootkit.  Sigh.

                                -- Stu

> -----Original Message-----
> From: Stuart McGraw
> Sent: Monday, February 19, 2001 10:05 AM
> To: 'INCIDENTS () SECURITYFOCUS COM'
> Subject: bind breakin?
>
>
> Hello,
>
> Have I been hacked?  Are these messages a signature of any known
> exploits?  Thanks greatly...
>
>                               -- Stu
>
> Feb 17 22:33:55 dns1 named[11646]: slave zone "hasco.com"
> (IN) loaded (serial 1001122
> Feb 17 22:33:55 dns1 named[11646]: slave zone
> "123.123.123-addr.arpa" (IN) loaded (serial 1000918
> Feb 17 22:33:55 dns1 named[11646]: slave zone
> "124.123.123.in-addr.arpa" (IN) loaded (serial 1000918
> Feb 17 22:33:55 dns1 named[11646]: slave zone
> "10.in-addr.arpa" (IN) loaded (serial 990624)
> Feb 17 22:33:55 dns1 named[11646]: master zone
> "0.0.127.in-addr.arpa" (IN) loaded (serial 1997010400)
> Feb 17 22:33:55 dns1 named[11646]: hint zone "" (IN) loaded (serial 0)
> Feb 17 22:33:55 dns1 named[11646]: unix control
> "/var/run/ndc" unlink failed: Permission denied
> Feb 17 22:33:55 dns1 named[11646]: ctl_server: bind: Address
> already in use
> Feb 17 22:33:55 dns1 named[11646]: couldn't create pid file
> '/var/run/named.pid'
> Feb 17 22:33:55 dns1 named[11646]: bind(dfd=20,
> [127.0.0.1].53): Permission denied
> Feb 17 22:33:55 dns1 named[11646]: deleting interface [127.0.0.1].53
> Feb 17 22:33:55 dns1 named[11646]: bind(dfd=20,
> [123.123.123.1].53): Permission denied
> Feb 17 22:33:55 dns1 named[11646]: deleting interface
> [123.123.123.1].53
> Feb 17 22:33:55 dns1 named[11646]: not listening on any interfaces
> Feb 17 22:33:55 dns1 named[11646]: opensocket_f:
> bind([0.0.0.0].53): Permission denied