Re: DNS server crashed

[Bryan Bradsby <Bryan.Bradsby () CAPNET STATE TX US>]

On Tue, 6 Feb 2001, Jason Lewis wrote:

> Anyone aware of exploits for the recent BIND security holes?  I had a name
> server crash today.  Nothing in the logs that point to anything, it was just
> down.


   http://www.isc.org/products/BIND/bind-security.html

Especially the "zxfr bug"


> It is the only box I can't upgrade BIND on.  It has a funky OS install
> and I need to rebuild it from scratch.  I am waiting for new boxes, so
> it is low priority.


Suggest you increase the priority.  Try the suggested "zxfr bug"
work-arounds if you can't install 8.2.3-REL. No version of bind v8.x
earlier than 8.2.3-REL (including 8.2.3-beta.x) should be exposed to the
internet today.


> I suspect someone was attempting to hack it,


Probably. Note that if someone runs a stack overrun exploit "tuned" for
linux and you don't have i386, or linux, one of the more likely results
would be the symptom you report.

The only way to find out if this was a DNS DOS, or attempted root exploit
would be to stick an IDS on that net and catch the contents of the
packets.


> jas
> http://www.rivalpath.com


-bryan bradsby
Texas State Government Net
--
"I don't have to take this abuse from you -- I've got hundreds of
people waiting to abuse me."
                -- Bill Murray, "Ghostbusters"