Re: bind9 security problem?

To: debian-security@lists.debian.org
Subject: Re: bind9 security problem?
From: Stephen Gran <sgran@debian.org>
Date: Sat, 4 Nov 2006 13:54:57 +0000
Message-id: <[🔎] 20061104135457.GC10614@www.lobefin.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20061104125757.GR4342@ftbfs.de>
References: <[🔎] 200611041031.00969.avbidder@fortytwo.ch> <[🔎] 20061104125757.GR4342@ftbfs.de>

This one time, at band camp, Martin Zobel-Helas said:
> On Sat Nov 04, 2006 at 10:30:55 +0100, Adrian von Bidder wrote:
> > Yodel!
> > 
> > Is there a security problem in some bind version?  Or in some syncml-related 
> > application?  Or is somebody just being silly?  I have these in my logs:
> > 
> > ===
> > Nov  3 15:35:03 myhost named[8286]: unexpected RCODE (SERVFAIL) resolving 'cscursor.so/NS/IN': myforwarderip1#53
> > Nov  3 15:35:03 myhost named[8286]: unexpected RCODE (SERVFAIL) resolving 'pptpd-logwtmp.so/NS/IN': myforwarderip1#53
> > Nov  3 15:35:03 myhost named[8286]: unexpected RCODE (SERVFAIL) resolving 'libsyncml_plugin.so/NS/IN': myforwarderip1#53
> > Nov  3 15:35:03 myhost named[8286]: unexpected RCODE (SERVFAIL) resolving 'libgnutls.so/NS/IN': myforwarderip1#53
> > Nov  3 15:35:05 myhost named[8286]: unexpected RCODE (SERVFAIL) resolving 'cscursor.so/NS/IN': myforwarderip2#53
> > Nov  3 15:35:05 myhost named[8286]: unexpected RCODE (SERVFAIL) resolving 'pptpd-logwtmp.so/NS/IN': myforwarderip2#53
> > Nov  3 15:35:05 myhost named[8286]: unexpected RCODE (SERVFAIL) resolving 'libsyncml_plugin.so/NS/IN': myforwarderip2#53
> > Nov  3 15:35:05 myhost named[8286]: unexpected RCODE (SERVFAIL) resolving 'libgnutls.so/NS/IN': myforwarderip2#53
> > Nov  3 15:35:08 myhost named[8286]: unexpected RCODE (REFUSED) resolving 'cscursor.so/NS/IN': someip#53
> > Nov  3 15:35:08 myhost named[8286]: unexpected RCODE (REFUSED) resolving 'libsyncml_plugin.so/NS/IN': someip#53
> > Nov  3 15:35:08 myhost named[8286]: unexpected RCODE (REFUSED) resolving 'pptpd-logwtmp.so/NS/IN': someip#53
> > Nov  3 15:35:08 myhost named[8286]: unexpected RCODE (REFUSED) resolving 'libgnutls.so/NS/IN': someip#53
> > Nov  3 15:35:08 myhost named[8286]: lame server resolving 'cscursor.so' (in 'so'?): someotherip#53
> > Nov  3 15:35:08 myhost named[8286]: lame server resolving 'libsyncml_plugin.so'(in 'so'?): someotherip#53
> > Nov  3 15:35:08 myhost named[8286]: lame server resolving 'pptpd-logwtmp.so' (in 'so'?): someotherip#53
> > Nov  3 15:35:08 myhost named[8286]: lame server resolving 'libgnutls.so' (in 'so'?): someotherip#53
> > ===
> I also have them quite often in my logs, but did not yet found out, what
> they come from.

This looks like spamassassin doing URIBL lookups, and confusing library
names for domain names.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- bind9 security problem?
  - From: Adrian von Bidder <avbidder@fortytwo.ch>
- Re: bind9 security problem?
  - From: Martin Zobel-Helas <zobel@ftbfs.de>

Prev by Date: Re: bind9 security problem?
Next by Date: Register
Previous by thread: Re: bind9 security problem?
Next by thread: Re: bind9 security problem?
Index(es):
- Date
- Thread