version.bind
Michel Marcon
NOSPAM.michel.marcon at vnumail.com
Wed Jun 7 19:28:09 UTC 2000
Hi.
On 6 Jun 2000 10:24:35 -0700, keith at mail.telestream.com wrote:
>If I'm not mistaken that is a special thing. Like in nslookup doing this
>to get a version
>
>nslookup
>> set class=chaos
>> set type=txt
>> version.bind
>Server: ns.somedomain.com
>Address: some.ip.here.com
>
>VERSION.BIND text = "8.2"
>>
>
>I would assume someone is trying to see what version you are running to
>see if you are vulnerable to a particular exploit.
I confirm. It might be a pre-attack polling: all bind versions <
8.2.2-P5 are known to be bugged. There is an exploit round here (NXT
something ??) which use buffers overflow to be root on the DNS server.
Be warned: upgrade (see page at www.isc.org)
Also look at the excellent page of Spitz about this exploit:
http://www.enteract.com/~lspitz/forensics
cmic
>
>Keith
>
>
>
>=================================
>Keith W.
>
>At the helm <for better or worse>
>=================================
>
>
>On Tue, 6 Jun 2000, Bill Moseley wrote:
>
>> I keep getting refused queries (I only allow queries for my local zones)
>> for "version.bind" from various different IP numbers.
>>
>> named[121]: unapproved query from [211.53.209.124].4421 for "version.bind"
>> named[28152]: unapproved query from [216.174.66.131].2855 for "version.bind"
>>
>> Did some versions of bid return the version for this type of query?
>>
>> Thanks,
>>
>> BTW -- that second IP later tried this:
>> popper[2168]: refused connect from 216.174.66.131
>>
>>
>>
>> Bill Moseley
>> mailto:moseley at hank.org
>>
>>
>
>
>
>
--------------------------------
Michel Marcon
Sysadmin UNIX & Windows NT (I try)
NoSpam.cmic at cetu.equipement.gouv.fr
More information about the bind-users
mailing list