Security Incidents mailing list archives
RE: BIND 9.2.1 crashes
From: LordInfidel <LordInfidel () Directionweb com>
Date: Mon, 6 Oct 2003 16:42:56 -0400
not to sound like a broken record or ask a silly question. But what kernel version are you running.....? And do you have iptables/chains running on that box protecting the OS? The attack venue may not have been bind but something else. Bind ceasing could of have just been a side effect. JMO LordInfidel -----Original Message----- From: Benjamin Franz [mailto:snowhare () nihongo org] Sent: Monday, October 06, 2003 1:18 PM To: incidents () securityfocus com Cc: Keith Bergen Subject: Re: BIND 9.2.1 crashes On Mon, 6 Oct 2003, Keith Bergen wrote:
Benjamin, My paranoia always assumes a buffer overflow and comprimise. BIND 9.2.1 appears to be vulnerable to a buffer overflow. I would recommend updating it. Typically the attackers will exploit the overflow, and then install their rootkits. Then they will disable the DNS so that you have to reboot the machine, thus permanently installing their root kits. Check out this page: http://www.isc.org/products/BIND/bind-security.html
Thanks. RedHat backpatches fixes and the current version of 9.2.1 distributed by them is not vulnerable to the items listed there AFAIK. I am, and have been, running the latest version of BIND distributed by RH. This is not to say that a _new_ vulnerability may not have been found. This is why I posted this to Incidents - it feels like it could be a new 0 day.
Next, download the Root Kit Checker and compile and run it: http://www.chkrootkit.org/
Done. Both machines checked out as clean according to it. -- Benjamin Franz
Hope this helps, Keith. ---- Original message ----Date: Sun, 5 Oct 2003 14:06:34 -0700 (PDT) From: Benjamin Franz <snowhare () nihongo org> Subject: BIND 9.2.1 crashes To: incidents () securityfocus com This is going to necessarily be sketchy on details because Idon't havemany. In the last 48 hours I've had two nameservers on completelyseperatesubnets crash with no indication as to what crashed them.Both nameserversare running BIND 9.2.1 (One system is running RH 7.3, BIND9.2.1-1.7x.2.The other system is running RH 7.2, BIND 9.2.1-1.7x.2). The named on the RH7.3 system 'tied itself in a knot'without formallydying - it just stopped doing name service after a lotof 'no morerecursive clients: quota reached' messages (related to amaillist mailingI believe initially - but this had stopped before I wascalled in - atwhich time the named was still refusing service, but hadn'tloggedanything in 40 minutes). The named on the RH7.2 systemcompletely diedwith no logged messages at all about 18 hours after theRH7.3 systemproblem, with no unusual activity preceding its death - itjust stoppedfor no apparent reason). The 7.2 system has been running for several months with noissues. The 7.3system was brought online a week ago - and had no troubleuntil this.Has anyone else been seeing BIND crashes on previouslystable systems inthe last week? -- Benamin Franz Gauss's law is always true, but it is not always useful. -- David J. Griffiths, "Introduction to Electrodynamics" -------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
-- Jerry Gauss's law is always true, but it is not always useful. -- David J. Griffiths, "Introduction to Electrodynamics" --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- BIND 9.2.1 crashes Benjamin Franz (Oct 06)
- <Possible follow-ups>
- Re: BIND 9.2.1 crashes Keith Bergen (Oct 06)
- Re: BIND 9.2.1 crashes jlewis (Oct 06)
- Re: BIND 9.2.1 crashes Benjamin Franz (Oct 06)
- RE: BIND 9.2.1 crashes LordInfidel (Oct 07)
- RE: BIND 9.2.1 crashes Benjamin Franz (Oct 07)