RE: BIND 9.2.1 crashes

[LordInfidel <LordInfidel () Directionweb com>]

not to sound like a broken record or ask a silly question.

But what kernel version are you running.....?  And
do you have iptables/chains running on that box protecting the OS?

The attack venue may not have been bind but something else.  Bind
ceasing could of have just been a side effect.

JMO

LordInfidel

-----Original Message-----
From: Benjamin Franz [mailto:snowhare () nihongo org]
Sent: Monday, October 06, 2003 1:18 PM
To: incidents () securityfocus com
Cc: Keith Bergen
Subject: Re: BIND 9.2.1 crashes


On Mon, 6 Oct 2003, Keith Bergen wrote:

> Benjamin,
>
> My paranoia always assumes a buffer overflow and comprimise. 
> BIND 9.2.1 appears to be vulnerable to a buffer overflow. I 
> would recommend updating it. Typically the attackers will 
> exploit the overflow, and then install their rootkits. Then 
> they will disable the DNS so that you have to reboot the 
> machine, thus permanently installing their root kits.
>
> Check out this page:
> http://www.isc.org/products/BIND/bind-security.html

Thanks. RedHat backpatches fixes and the current version of 9.2.1
distributed by them is not vulnerable to the items listed there AFAIK. I
am, and have been, running the latest version of BIND distributed by RH.

This is not to say that a _new_ vulnerability may not have been found.  
This is why I posted this to Incidents - it feels like it could be a new 0
day.

> Next, download the Root Kit Checker and compile and run it:
> http://www.chkrootkit.org/

Done. Both machines checked out as clean according to it.

-- 
Benjamin Franz


> Hope this helps,
> Keith.
>
>
> ---- Original message ----
> > Date: Sun, 5 Oct 2003 14:06:34 -0700 (PDT)
> > From: Benjamin Franz <snowhare () nihongo org>  
> > Subject: BIND 9.2.1 crashes  
> > To: incidents () securityfocus com
> >
> >
> > This is going to necessarily be sketchy on details because I 
> don't have
> > many.
> >
> > In the last 48 hours I've had two nameservers on completely 
> seperate
> > subnets crash with no indication as to what crashed them. 
> Both nameservers
> > are running BIND 9.2.1 (One system is running RH 7.3, BIND 
> 9.2.1-1.7x.2.  
> > The other system is running RH 7.2, BIND 9.2.1-1.7x.2).
> >
> > The named on the RH7.3 system 'tied itself in a knot' 
> without formally
> > dying - it just stopped doing name service after a lot 
> of 'no more
> > recursive clients: quota reached' messages (related to a 
> maillist mailing
> > I believe initially - but this had stopped before I was 
> called in - at
> > which time the named was still refusing service, but hadn't 
> logged
> > anything in 40 minutes). The named on the RH7.2 system 
> completely died
> > with no logged messages at all about 18 hours after the 
> RH7.3 system
> > problem, with no unusual activity preceding its death - it 
> just stopped
> > for no apparent reason).
> >
> > The 7.2 system has been running for several months with no 
> issues. The 7.3
> > system was brought online a week ago - and had no trouble 
> until this.
> > Has anyone else been seeing BIND crashes on previously 
> stable systems in 
> > the last week?
> >
> > -- 
> > Benamin Franz
> >
> > Gauss's law is always true, but it is not always useful.
> >    -- David J. Griffiths, "Introduction to Electrodynamics"
> >
> >
> >
> >
> > -------------------------------------------------------------
> --------------
> > -------------------------------------------------------------
> ---------------
> >
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>

-- 
Jerry

Gauss's law is always true, but it is not always useful.
    -- David J. Griffiths, "Introduction to Electrodynamics"





---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------