From owner-freebsd-questions Wed Feb 14 9:34:29 2001 Delivered-To: freebsd-questions@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67]) by hub.freebsd.org (Postfix) with ESMTP id 41EF137B4EC for ; Wed, 14 Feb 2001 09:34:24 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0123266B26; Wed, 14 Feb 2001 09:34:18 -0800 (PST) Date: Wed, 14 Feb 2001 09:34:18 -0800 From: Kris Kennaway To: Glenn McCalley Cc: freebsd-questions@freebsd.org Subject: Re: named crashing 8.2.2 Message-ID: <20010214093418.C72301@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5QAgd0e35j3NYeGe" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from freebsd@mail.bnetmd.net on Wed, Feb 14, 2001 at 11:38:43AM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --5QAgd0e35j3NYeGe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 14, 2001 at 11:38:43AM -0500, Glenn McCalley wrote: >=20 > Wathing the exchange on "named crashing"... > and Uh Oh - come to think of it we had several named crashes within a > couple of days a short while ago - nothing since - but just checked and we > *are* running BIND 8.2.2. Checked CERT and sure enough there's that > advisory. You need to subscribe to one of the mailing lists where we distribute FreeBSD Security Advisories - see http://www.freebsd.org/security, this problem has been known and published for a while now. > So! Upgrading BIND shouldn't be a big deal. > But what's the chances we are harboring one of the Bad Guys - and if > so whats the prodedure? Wipe, re-install and upgrade BIND? Is there > something less than completely wiping the drives? Difficult to say, but an exploit is actively being used out there. To be safe, you should treat your system as having been compromised. Save any data to a backup, wipe and reinstall the *entire OS*, then reload your data from the backup, being careful not to load any binaries from backup since they might have been compromised. Your data may have been compromised too, so check that carefully too (e.g. website defaced, bogus host entries added to your DNS zones, user accounts added to password files, unauthorized SSH keys added to root account, etc). If you do anything less than this you'll never know whether you got rid of the intruder, since he could still be lurking via the use of a cleverly hidden backdoor. Kris --5QAgd0e35j3NYeGe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6isGaWry0BWjoQKURAvmyAJ9rbY3XRewgs+PlHSfopRpskELvEgCggN6E Z9321RkLz2K2tde/iBrVUXg= =SMJ+ -----END PGP SIGNATURE----- --5QAgd0e35j3NYeGe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message