[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hacked



On Thu, Apr 05, 2001 at 05:16:16PM -0500, Y2KNET wrote:
> Our server which is debian 2.2.r2 and running
> bind 8.2.3 has been hacked from this address
> 132.163.135.130

Is the server running any other services?  Is it firewall protected?
What evidence do you have that the attack came from that IP address and
the address wasn't spoofed?  What evidence do you have that the BIND 
daemon is the source of the success of the attacker?  Are you regularly
updating all installed services with an APT source line pointing to
security.debian.org?  If not, how did you confirm you are running BIND
8.2.3-REL? [1]

Please consider providing more information both to Debian and to the
upstream BIND authors if you truly believe BIND is the exploited
service.

If you believe you have evidence that another BIND exploit is "in the
wild", have you contacted Nominum or the good folks at isc.org with the
information?  Frankly while BIND has been a source of problems for a
long time, I don't have any reason from this posting to believe you that
BIND was the reason your machine was successfully broken-into.

This announcement is enough to pique our interest, but not enough to
help you fix whatever problem you may have encountered. [2]

[1] Two of the common BIND 8.2.2 exploits also attempt to change the
version number that BIND reports if you do an "ndc status" command.  Are
you SURE you were running 8.2.3-REL?

[2] I speak from the community at large, not as a Debian representative
here... but I'm sure that the BIND maintainer would appreciate any solid
evidence you have that BIND has a problem.

-- 
Nate Duehr <nate@natetech.com>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.



Reply to: