Security Incidents mailing list archives

Re: Bind compromise

From: Antonio Carlos Pina <apina () infolink com br>
Date: Wed, 21 Feb 2001 11:28:11 -0300

Jason,

I haven't seen any a Bind 8.2.3-REL exploit yet, but I DID saw an 8.2.2 box
rooted (t0rnkit) with NDC STATUS reporting "8.2.3-REL". The customer told me
"Nobody did the upgrade, we're pretty sure" and I believe them because
there's only one linux-man there and he is on vacation.

Unfortunately, I couldn't investigate more, but there's a real possibility
that this kit have upgraded bind or at least tried to fool them, changing
strings(?).

Best Regards,

Cordialmente,
Antonio Carlos Pina
Diretor de Tecnologia
INFOLINK Internet
http://www.infolink.com.br

----- Original Message -----
From: "Jason Lewis" <jlewis () JASONLEWIS NET>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, February 20, 2001 8:56 PM
Subject: Re: Bind compromise

Is there an exploit for 8.2.3-REL?

What else was running on this box?  ftpd?

What version of SSH?

I am rolling out two new name servers and I would rather not roll out
something with holes.

What kind of options are you using in the named.conf?  Is it secure?

jas
http://www.rivalpath.com

Current thread:

FYI: Bind compromise Jim Olsen (Feb 20)
- Re: FYI: Bind compromise Noel Rosenberg (Feb 20)
- Re: Bind compromise Ryan Sweat (Feb 20)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 20)
  - Re: FYI: Bind compromise Jim Olsen (Feb 21)
    - Re: FYI: Bind compromise gabriel rosenkoetter (Feb 21)
    - Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: Bind compromise Jason Lewis (Feb 20)
  - Re: Bind compromise Antonio Carlos Pina (Feb 21)
  - Re: Bind compromise John (Feb 21)
- Re: FYI: Bind compromise Phil Brutsche (Feb 20)
  - Re: FYI: Bind compromise Jim Olsen (Feb 21)
  - Re: FYI: Bind compromise Jason Lewis (Feb 21)
- <Possible follow-ups>
- Re: FYI: Bind compromise Roberto (Feb 21)