OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Martin McCormick (martin_at_dc.cis.okstate.edu)
Date: Thu Jan 23 2003 - 15:33:43 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

            What we had was a compromised system that appears to be
    running some sort of denial of service script that crashes
    bind9.2.1 and possibly other versions. The problem is reportedly
    fixed in bind9.2.2.

            Our site has been using the latest versions of bind for
    close to a decade and that is the first time we have gotten hit.

            If you have a system with lots of storage on it, keep
    good logs. 99.999% of what gets logged is hardly worth looking
    at, but that last message before bind crashed was worth all that
    space since we would have still been scratching our heads and
    wondering what happened and when might it happen again.

            I have all the CRIT messages on the name server sent to
    our FreeBSD work station and that told us when things went wrong.

            The usual format of the messages changed giving us
    messages that identified the host sending with its IP number
    rather than its host name.

            I run bind in a root jail so I have a little shell script
    to restart it correctly so I just kept bringing it back up until
    one of our other network folks turned off the port of the
    compromised system. The advantage of that is that you can
    quickly send the correct commands even when your display is being
    trashed with all the distress calls which are a result of having
    no dns.

            The drill is to log on, type the command to restart bind,
    notice the brief lull in the carnage, wait for it to start again,
    and hit !!.

            The other advantage to having the startup script is you
    can easily tell a coworker to just run that script and bind runs
    under the correct UID and GID.

            Some years ago, when things weren't as robust as they
    have gotten, I used to run a cron job every minute to restart
    bind and dhcpd if they should die. I guess I should revive those
    scripts and update them to fit the present configuration.

    Martin McCormick WB5AGZ Stillwater, OK
    OSU Center for Computing and Information Services Network Operations Group

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message