Re: BIND-8.2.2p5 exploited?

[Jon Lewis <jlewis () LEWIS ORG>]

On Sun, 28 Jan 2001 dev-null () NO-ID COM wrote:

> hello i manage nameserver running BIND-8.2.2p5 and notice it die
> recently... i go examine server to see the problem and i move to named
> directory and notice directory name ron1n in there immediately i call
> friend and we close down to server to examine more..... he tell me
> above version not vulnerable to nxt bug and cannot understand why
> named die and why that directory exist in named root..... was my
> nameserver hacked?? i thought named running with chroot method stop
> hacker from breaking my daemons??? we look at isc.org and no report of
> above version being vulnerable... what could problem be?

Were you able to tell from the files installed and their dates when the
intrusion may have begun?  Late this past friday night, Paul Vixie
announced that there was a serious security hole found in bind 8.2.x, and
that everyone needs to upgrade to either 8.2.3 or 9.x in a hurry.  I don't
know if there are exploits for this hole already, and he wasn't even very
specific about what the hole was...but I'm sure if you study diffs of the
last 8.2.2 version and 8.2.3 you could figure out where the hole is, and
someone could have already written an exploit.

--
----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________