Is this a compromise ?

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Tue Feb 20 01:25:29 UTC 2001 

> 
> Hello Bind Users
> 
> I am running BIND 8.2.2-P7 on Red Hat 6.2. ( Sorry to hurt the feelings of al
> l 
>  the people working for a `secure and safer BIND', I know I should upgrade to
>  
> 8.2.3 or 9.x !)
> 

	Your not hurting our feelings only yourself and the people
	(if any) depending upon you to manage your machine.  If the
	machine is on share media you should assume that any traffic
	since then has been sniffed.

	I would assume you have been hacked based on the following.

	Mark

> Anyway, in the past week I observed something strange in my name server. It
> stops working after sometime. A listing of processes shows that named is stil
> l 
> running but a dig , eg. dig @128.197.14.80 coptic.net, says
> ; <<>> DiG 9.1.0 <<>> @128.197.14.80 coptic.net
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
> An ndc status  just hangs. 
> 
> Something I observed every time this happened is the following error in named
> .log 
> 
> 19-Feb-2001 17:22:17.094 ns_req(from [65.26.235.95].2293)
> ;; ns_initparse: Message too long
> ;; ns_initparse: Message too long
> 19-Feb-2001 17:22:19.004 ns_req(from [65.26.235.95].2293)
> ;; ns_initparse: Message too long
> ;; ns_initparse: Message too long
> 19-Feb-2001 17:22:19.198 ns_req(from [65.26.235.95].2293)
> 
> 
> I was wondering if the BIND running on my machine was exploited? If not, is t
> here any other reason for this to occur?
> 
> As for the particular IP (65.26.235.95) that you see up there, here is what i
> t
> logged in named.log just a few seconds before named dumped the above meassage
> .
> 
> 19-Feb-2001 17:22:01.786 ns_req(from [65.26.235.95].2292)
> ;; ->>HEADER<<- opcode: IQUERY, status: NOERROR, id: 62818
> ;; flags: rd ra; QUERY: 0, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> .                       8h42m17s IN A   4.3.2.1
> ;; ->>HEADER<<- opcode: IQUERY, status: REFUSED, id: 62818
> ;; flags: qr rd ra; QUERY: 0, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> .                       8h42m17s IN A   4.3.2.1
> 19-Feb-2001 17:22:01.945 ns_req(from [65.26.235.95].2292)
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57313
> ;; flags: rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;;      version.bind, type = TXT, class = CHAOS
> 19-Feb-2001 17:22:01.945 XX+/65.26.235.95/version.bind/TXT/CHAOS
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57313
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;;      version.bind, type = TXT, class = CHAOS
> VERSION.BIND.           0S CHAOS TXT    "8.2.2-P7"
> 
> Looks like someone is very interested in the version I am running!
> 
> Thanks a lot
> - Sumit
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list