Is this a compromise ?

Sumit Mehrotra sumit at cs.bu.edu
Tue Feb 20 00:49:12 UTC 2001 

Hello Bind Users

I am running BIND 8.2.2-P7 on Red Hat 6.2. ( Sorry to hurt the feelings of all 
 the people working for a `secure and safer BIND', I know I should upgrade to 
8.2.3 or 9.x !)

Anyway, in the past week I observed something strange in my name server. It
stops working after sometime. A listing of processes shows that named is still 
running but a dig , eg. dig @128.197.14.80 coptic.net, says
; <<>> DiG 9.1.0 <<>> @128.197.14.80 coptic.net
;; global options:  printcmd
;; connection timed out; no servers could be reached

An ndc status  just hangs. 

Something I observed every time this happened is the following error in named.log 

19-Feb-2001 17:22:17.094 ns_req(from [65.26.235.95].2293)
;; ns_initparse: Message too long
;; ns_initparse: Message too long
19-Feb-2001 17:22:19.004 ns_req(from [65.26.235.95].2293)
;; ns_initparse: Message too long
;; ns_initparse: Message too long
19-Feb-2001 17:22:19.198 ns_req(from [65.26.235.95].2293)


I was wondering if the BIND running on my machine was exploited? If not, is there any other reason for this to occur?

As for the particular IP (65.26.235.95) that you see up there, here is what it
logged in named.log just a few seconds before named dumped the above meassage.

19-Feb-2001 17:22:01.786 ns_req(from [65.26.235.95].2292)
;; ->>HEADER<<- opcode: IQUERY, status: NOERROR, id: 62818
;; flags: rd ra; QUERY: 0, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
.                       8h42m17s IN A   4.3.2.1
;; ->>HEADER<<- opcode: IQUERY, status: REFUSED, id: 62818
;; flags: qr rd ra; QUERY: 0, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
.                       8h42m17s IN A   4.3.2.1
19-Feb-2001 17:22:01.945 ns_req(from [65.26.235.95].2292)
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57313
;; flags: rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;      version.bind, type = TXT, class = CHAOS
19-Feb-2001 17:22:01.945 XX+/65.26.235.95/version.bind/TXT/CHAOS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57313
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;;      version.bind, type = TXT, class = CHAOS
VERSION.BIND.           0S CHAOS TXT    "8.2.2-P7"

Looks like someone is very interested in the version I am running!

Thanks a lot
- Sumit

More information about the bind-users mailing list