From owner-freebsd-security Thu Apr 12 5:53:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 9722037B505 for ; Thu, 12 Apr 2001 05:53:33 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 92944 invoked by uid 1000); 12 Apr 2001 12:53:53 -0000 Date: Thu, 12 Apr 2001 14:53:53 +0200 From: "Karsten W. Rohrbach" To: Mark.Andrews@nominum.com Cc: lee@kechara.net, freebsd-security@freebsd.org Subject: Re: bind hack? Message-ID: <20010412145353.E90025@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Mark.Andrews@nominum.com, lee@kechara.net, freebsd-security@freebsd.org References: <200104101151.MAA27699@mailgate.kechara.net> <200104101121.f3ABLPT88536@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104101121.f3ABLPT88536@drugs.dv.isc.org>; from Mark.Andrews@nominum.com on Tue, Apr 10, 2001 at 09:21:25PM +1000 X-Arbitrary-Number-Of-The-Day: 42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org why not upgrade to djbdns and get rid of all that "whats scriptkiddie's favourite bind exploit of the day" problems? http://cr.yp.to/djbdns.html http://www.djbdns.org/ the learning curve seems steep but if you understand the concept and have your first configuration running, it works like a charm (and is performant, too) /k Mark.Andrews@nominum.com(Mark.Andrews@nominum.com)@2001.04.10 21:21:25 +0000: > > > On inspection it would appear it has been upgraded since I installed it. The > > machine > > is now running 9.0.0r1, which may in part explain the problem. > > > > Why oh why do people not fill in maintenance logs.. > > If it's running 9.0.0rc1 then I suggest that you upgrade to > 9.1.1. > > Mark > > > > 11/04/2001 07:31:20, Mark.Andrews@nominum.com wrote: > > > > >> Hi, > > >> > > >> This is a little puzzling. I'm running the latest in the 'series 8' BIND, > > bu > > >> t every 24-48 hours, it dies, with this on the console: > > >> (latest example) > > > > > > I alway hate people saying they are running "the latest". Quite often > > > they arn't. Precise error reports are important. What version are > > > you running? > > > > > >> > > >> Apr 10 08:02:11 uk-ns1 /kernel: pid 84 (named), uid 0: exited on signal 1 > > 0 ( > > >> core dumped) > > >> > > >> A few seconds prior the the above, the IDS logged this: > > >> > > >> #20-(1-21575) DNS named iquery attempt 2001-04-10 08:02:09 < > > source I > > >> P> UDP > > >> > > >> The odd thing is, according to Whitehats, this attack only works on pre 8 > > .1. > > >> 2 / 4.9.8? > > > > > > See infoleak at http://www.isc.org/products/BIND/bind-security.html > > > > > >> > > >> Any input would be appreciated. > > >> > > >> -- > > >> > > >> Lee Smallbone > > >> Kechara Internet > > >> > > >> lee@kechara.net > > >> www.kechara.net > > >> > > >> Tel: (01243) 869 969 > > >> Fax: (01243) 866 685 > > >> > > >> > > >> > > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > > >> with "unsubscribe freebsd-security" in the body of the message > > >-- > > >Mark Andrews, Nominum Inc. > > >1 Seymour St., Dundas Valley, NSW 2117, Australia > > >PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com > > > > > > > -- > > > > Lee Smallbone > > Kechara Internet > > > > lee@kechara.net > > www.kechara.net > > > > Tel: (01243) 869 969 > > Fax: (01243) 866 685 > > > > > -- > Mark Andrews, Nominum Inc. > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- > If it ain't broke, overclock it! KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message