From owner-freebsd-questions  Mon Feb 12 16: 9:59 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67])
	by hub.freebsd.org (Postfix) with ESMTP id 9E02237B491
	for <freebsd-questions@FreeBSD.ORG>; Mon, 12 Feb 2001 16:09:55 -0800 (PST)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id F35BA66B32; Mon, 12 Feb 2001 16:09:53 -0800 (PST)
Date: Mon, 12 Feb 2001 16:09:53 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Scott Hyjek <SHyjek@rbmg.com>
Cc: "'freebsd-questions@FreeBSD.ORG'" <freebsd-questions@FreeBSD.ORG>
Subject: Re: Question: bind / named problem
Message-ID: <20010212160953.A39102@mollari.cthul.hu>
References: <C7C1A68CCDF6D311BFE000508B95B48C02E5250C@apollo.rbmg.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <C7C1A68CCDF6D311BFE000508B95B48C02E5250C@apollo.rbmg.com>; from SHyjek@rbmg.com on Mon, Feb 12, 2001 at 09:44:25AM -0500
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


--MGYHOYXEY6WxJCY8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Feb 12, 2001 at 09:44:25AM -0500, Scott Hyjek wrote:
> Any information or guidance would be appreciated. We've experienced a
> problem on our external DNS twice now (last thursday and Sunday). Name
> resolution ceases and we receive the following:=20
> quentin/kernel: pid 104 (named), uid 0: exited on signal 6 (core dumped)=
=20
> This server has run fine for many many months and we've only recently (as
> above) encountered this problem. No hardware or software changes have
> occured.=20
> Lastly, we're aware of the current Bind vulnerability and plan to upgrade=
 to
> eliminate it. However, we'd like some guidance (if any is available) as to
> how to determine if we've been exploited in such a manner. Thanks.=20
> <scott>

An exploit is available and being used in the wild.  You may have been
attacked, it's not possible to say with certainty.

Kris

--MGYHOYXEY6WxJCY8
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6iHtRWry0BWjoQKURAk15AJ4rOAm8tyR1beh1kAadikF+dRn4BQCeKH/f
CpKuQJyg82wvl+tf7pcFvKg=
=FuyP
-----END PGP SIGNATURE-----

--MGYHOYXEY6WxJCY8--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message