named terminating on multiple servers

Kevin Darcy kcd at daimlerchrysler.com
Wed Feb 21 22:50:49 UTC 2001 

I would assume that you've been cracked and act accordingly. The
*released* version of BIND 8.2.3 doesn't have the root exploit, but T6B
probably did. But just upgrading to 8.2.3-REL isn't going to remove any
Trojan Horses that the cracker may have installed on your system. Do an
audit and (preferably) a reload of the affected boxes.


- Kevin
Riley McIntire wrote:

> Hello!
>
> I don't seem to be able to post to this group--but if I _reply_ it gets
> posted--trying a different news server now(earthlink rather than
> pacbell).
>
> Could someone confirmed my suspicions that my servers were cracked?
> Also I was waiting to switch to bind9 after certain features were
> implemented, one of which was $GENERATE but another more critical one
> escapes me now. It will come back but is there any feature in bind8 that
> isn't implemented in 9.1 that could be considered a show stopper?
>
> Hoping that someone, somewhere sees this, thanks!
>
> Riley
>
> "Riley McIntire" <rileyjmc-nospam at yahoo.com> wrote in message news:...
> Greetings!
>
> I posted the below Sun 2/18, but it didn't go through for some reason.
> Anyway, per the below I upgraded bind from 8.2.3-T6B to 8.2.3-REL in the
> hope that the server termination was related to the TSIG buffer overflow
> bug
> reported last month.  In which case the server terminations were
> probably
> deliberate???
>
> Any comments gratefully accepted!
>
> Thanks
>
> Riley
>
> Hi all,
>
> I just had 2 dns boxen die for no obvious reason.  A mail user notified
> me
> that he couldn't access email--turned out that named 8.2.3-T6B, running
> FreeBSD 4.2 had died:
>
> Feb 18 07:00:45 aji /kernel: pid 100 (named), uid 53: exited on signal
> 10
>
> The strange thing is when I checked the secondary (different geographic
> location) named 8.2.2-P5-NOESW on Freebsd 4.0 had died with:
>
> Feb 18 08:08:29 dns1 /kernel: pid 8585 (named), uid 0: exited on signal
> 11
> (core  dumped)
>
> Uh, any ideas what's going on?   I'm going through the logs, but haven't
> seen any obvious traces of being cracked.  One of the servers is behind
> a
> firewall with only port 53 traffic allow.  ssh only through the
> firewall.  I
> have a hard time seeing this as coincidence.  I'm aware of a serious
> named
> security bug that I have not remedied yet and don't recall the
> description.
> Is this it?
>
> tia,
>
> Riley

More information about the bind-users mailing list