Security Incidents mailing list archives
RE: BIND 9.2.1 crashes
From: Benjamin Franz <snowhare () nihongo org>
Date: Mon, 6 Oct 2003 18:12:56 -0700 (PDT)
On Mon, 6 Oct 2003, LordInfidel wrote:
not to sound like a broken record or ask a silly question. But what kernel version are you running.....?
The RH7.3 box is running RH 2.4.20-20.7bigmem (RedHat's most recent kernel release). It had FTP, HTTP/HTTPS, SMTP and DNS exposed to the outside and SSH exposed internally. The RH7.2 box is running RH 2.4.9-13enterprise (Yes it is very old, but I have 'issues' that have kept me from upgrading it and no one but admins here has shell access on it. It has ports 53, 80 and 443 exposed to the general world and port 22 exposed only to our own networks. Those are enforced by an aggressive border router/FW.
And do you have iptables/chains running on that box protecting the OS?
The RH7.3 system is behind a simple packet filtering FW (with plans for a box level iptables based FW). The RH7.2 system is behind a seperate heavily paranoid iptables based firewall/router machine.
The attack venue may not have been bind but something else. Bind ceasing could of have just been a side effect.
It is quite possible the attack vector only used DNS as an 'end-point'. Both have other network-facing services that can cause DNS queries. My personal working theory at the moment is that something caused them to make DNS queries that got _answers_ that were problematic. -- Benjamin Franz
JMO LordInfidel -----Original Message----- From: Benjamin Franz [mailto:snowhare () nihongo org] Sent: Monday, October 06, 2003 1:18 PM To: incidents () securityfocus com Cc: Keith Bergen Subject: Re: BIND 9.2.1 crashes On Mon, 6 Oct 2003, Keith Bergen wrote:Benjamin, My paranoia always assumes a buffer overflow and comprimise. BIND 9.2.1 appears to be vulnerable to a buffer overflow. I would recommend updating it. Typically the attackers will exploit the overflow, and then install their rootkits. Then they will disable the DNS so that you have to reboot the machine, thus permanently installing their root kits. Check out this page: http://www.isc.org/products/BIND/bind-security.htmlThanks. RedHat backpatches fixes and the current version of 9.2.1 distributed by them is not vulnerable to the items listed there AFAIK. I am, and have been, running the latest version of BIND distributed by RH. This is not to say that a _new_ vulnerability may not have been found. This is why I posted this to Incidents - it feels like it could be a new 0 day.Next, download the Root Kit Checker and compile and run it: http://www.chkrootkit.org/Done. Both machines checked out as clean according to it.
-- Jerry Gauss's law is always true, but it is not always useful. -- David J. Griffiths, "Introduction to Electrodynamics" --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- BIND 9.2.1 crashes Benjamin Franz (Oct 06)
- <Possible follow-ups>
- Re: BIND 9.2.1 crashes Keith Bergen (Oct 06)
- Re: BIND 9.2.1 crashes jlewis (Oct 06)
- Re: BIND 9.2.1 crashes Benjamin Franz (Oct 06)
- RE: BIND 9.2.1 crashes LordInfidel (Oct 07)
- RE: BIND 9.2.1 crashes Benjamin Franz (Oct 07)