Re: FYI: Bind compromise

[Jason Lewis <jlewis () jasonlewis net>]

I agree......

I looked at the ISC listing of exploits....
http://www.isc.org/products/BIND/bind-security.html

And 8.2.3-betas ARE vulnerable.....  Maybe it was beta and not -REL?

My guess is the attacker upgraded BIND to prevent someone from compromising
HIS compromise.  That makes me laugh for some reason.

jas
http://www.rivalpath.com

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Phil Brutsche
Sent: Tuesday, February 20, 2001 7:35 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: FYI: Bind compromise


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> What is in.amdq? A customized ssh daemon of sorts that allows anyone to
> connect as root, or so it appears. They also must have used a rootkit of
some
> sort, as the process does not show up in ps auxw.  There is probably more
to
> the compromise, but this is all I found. This server was running named
> 8.2.3-REL, which i assume was the source of the system compromise.
According
> to my colo provider, everyone who had a collocated linux box with this
> version of BIND had been penetrated, so it's possible this attack is
> self-replicating, although I could not find any traces of this on the
> compromised system. Thankfully this box isn't that important, and thank
> goodness I got bind 9.1 up and running on my important boxes before this
had
> happened.

I disagree that this is a BIND 8.2.3 exploit.  If it was we probably would
have heard about it on BugTraq by now :)

I've seen this rootkit (or, at least, this back door) on a RedHat box that
had no business running, and was not running, BIND.  They were, however,
running all sorts of other services (it was RedHat 6.0, with *no*
updates) that had nasty vulnerabilities.

If you still have access to the compromised system, I think you'll find
some files under /dev/sdc0/ (where the ssh backdoor gets its
configuration).

I think you will also find /usr/sbin/in.sysched.  I have no idea what that
does; I've heard it may be a DDoS tool.  I haven't been able to find
anything conclusive about it on google, and nothing on packetstorm and
SecurityFocus.

What I know about it starts with the (way too short) thread at
http://plug.skylab.org/200007/msg00526.html, and another (also way too
short) at http://www.linux.ie/pipermail/ilug/2000-September/022860.html.
As well as some stuff in Norwegian.

- --
- ----------------------------------------------------------------------
Phil Brutsche                               pbrutsch () tux creighton edu

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6kw1I/ZTSZFDeHPwRAnCiAJ9M0VX4PGjJtkve17HCjSeH+VANZACePVYo
xGJp8qcMnM15tfGs2ewIo3U=
=y0+C
-----END PGP SIGNATURE-----