hacked with bind 8.2.3-0.6.x, is-it possible ?

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by Fori » Thu, 11 Oct 2001 01:00:20



Hi

A friend of mine says he was hacked through his bind 8.2.3-0.6.x (red
hat 6.2 latest rpm)

Is it possible ?

Thanks

Pat

 
 
 

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by Eric Enrigh » Thu, 11 Oct 2001 02:03:53


Quote:> Hi

> A friend of mine says he was hacked through his bind 8.2.3-0.6.x (red
> hat 6.2 latest rpm)

> Is it possible ?

I have not heard of any specific vulnerability, but I think its quite safe
to say that it is possible, as opposed to impossible.

-E/E

 
 
 

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by those who know me have no need of my nam » Thu, 11 Oct 2001 03:16:38



Quote:>A friend of mine says he was hacked through his bind 8.2.3-0.6.x (red
>hat 6.2 latest rpm)

>Is it possible ?

of course.  bind is a long running setuid root server.

--
okay, have a sig then

 
 
 

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by Tim Hayne » Thu, 11 Oct 2001 03:33:43




> >A friend of mine says he was hacked through his bind 8.2.3-0.6.x (red
> >hat 6.2 latest rpm)

> >Is it possible ?

> of course.  bind is a long running setuid root server.

...if you run it setuid root, of course. More to the point I thought it had
to be run as root and you could then drop privs if you wanted. If you
don't, or don't run it in a chroot jail as well, well... commiserations.

~Tim
--

                                            |http://spodzone.org.uk/

 
 
 

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by Ian Jone » Thu, 11 Oct 2001 03:48:43


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> A friend of mine says he was hacked through his bind 8.2.3-0.6.x (red
> hat 6.2 latest rpm)

I would wonder what makes your friend think that the single point of
failure was bind. What manner of compromise was it and did they leave
anything behind?

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE7w0aBwBVKl/Nci0oRAlnEAKDlMZOvXk8oabBv6ieGgZtvFRDTQgCg7G3z
KOnSgMIsXzwUHgEmXtyC4DE=
=Kw5J
-----END PGP SIGNATURE-----

 
 
 

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by Michael Scheidel » Thu, 11 Oct 2001 04:42:07



Quote:> Hi

> A friend of mine says he was hacked through his bind 8.2.3-0.6.x (red
> hat 6.2 latest rpm)

anything less than 8.2.3-REL has known, documented problems, going back to
March this year.

www.cert.org search for 'bind'

--
Michael Scheidell
Florida Datamation, Inc.

Internet Security and Consulting
See updated IT Security News at http://www.fdma.com/
After system Compromise : http://www.cert.org/tech_tips/

 
 
 

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by Hal Burgi » Thu, 11 Oct 2001 05:55:05



>anything less than 8.2.3-REL has known, documented problems, going back
>to March this year.

Redhat backported the patches, so it is equivalent (AFAIK).

Hey, Michael!

--
Hal Burgiss

 "I will not send a two million dollar missile at a ten dollar tent,
 just to hit a camel in the butt". GW Bush
--

 
 
 

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by Kasper Dupon » Thu, 11 Oct 2001 06:45:38





> > >A friend of mine says he was hacked through his bind 8.2.3-0.6.x (red
> > >hat 6.2 latest rpm)

> > >Is it possible ?

> > of course.  bind is a long running setuid root server.

> ...if you run it setuid root, of course. More to the point I thought it had
> to be run as root and you could then drop privs if you wanted. If you
> don't, or don't run it in a chroot jail as well, well... commiserations.

It will need root priveleges to open port 53.
But after that I cannot see why it should
keep root priveleges. Keeping it runing as
root is a bad choice.

--
Kasper Dupont

 
 
 

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by Fori » Thu, 11 Oct 2001 22:05:16




> >anything less than 8.2.3-REL has known, documented problems, going back
> >to March this year.

> Redhat backported the patches, so it is equivalent (AFAIK).

> Hey, Michael!

Hi

Does that mean that the red hat bind RPM has the security hole or not ?

I don't speak english perfectly.

thanks

Pat

 
 
 

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by Fori » Thu, 11 Oct 2001 22:07:20



> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1


> > A friend of mine says he was hacked through his bind 8.2.3-0.6.x (red
> > hat 6.2 latest rpm)

> I would wonder what makes your friend think that the single point of
> failure was bind. What manner of compromise was it and did they leave
> anything behind?

> -----BEGIN PGP SIGNATURE-----
> Comment: Keeping the world safe for geeks.

> iD8DBQE7w0aBwBVKl/Nci0oRAlnEAKDlMZOvXk8oabBv6ieGgZtvFRDTQgCg7G3z
> KOnSgMIsXzwUHgEmXtyC4DE=
> =Kw5J
> -----END PGP SIGNATURE-----

Hi

He had a rootkit installed in /var/named and a ncftp daemon running as
the user named

the bind was running as the user named.

He also runs ssh on this box

thanks

Pat

 
 
 

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by Hal Burgi » Thu, 11 Oct 2001 22:18:28





>> >anything less than 8.2.3-REL has known, documented problems, going
>> >back to March this year.

>> Redhat backported the patches, so it is equivalent (AFAIK).

>Does that mean that the red hat bind RPM has the security hole or not ?

It means it is patched for all *known* BIND exploits. So the short
answer is, that all 'security holes' are fixed. At least until somebody
finds a new one :/

Quote:>I don't speak english perfectly.

You many not speak it so well, but you write it better than some native
speakers.

--
Hal Burgiss

--

 
 
 

hacked with bind 8.2.3-0.6.x, is-it possible ?

Post by el.. » Fri, 12 Oct 2001 03:15:25




>A friend of mine says he was hacked through his bind 8.2.3-0.6.x (red
>hat 6.2 latest rpm)

>Is it possible ?

Could the hack have happened before he updated bind?  There was an
exploit in the shipped version of bind used by 6.2.

--
http://www.spinics.net/linux/

 
 
 

1. Make problems re-compiling kernel 2.0.34-0.6

Would someone please explain the following messages:

make[1] as86: Command not found
make[1] ***[bootsect.o] Error 127
make[1] Leaving directory '/usr/src/linux-2.0.34/arch/i386/boot'
make *** [zImage] Error 2

Trying to re-compile kernel for 2.0.34-0.6 with the following updates:
initscripts-3.67-1.i386.rpm
kernelcfg-0.4-8.i386.rpm

The updated rpm packages noted above were successfully installed prior to
issuing the following commands in sequence:

make config
make dep
make clean
make zImage

Thanks for your help!

Jerry

2. sendmail 8.9.3+Sun on Solaris SPARC 2.6 - multiple "Message accepted for delivery"

3. Error log ppp.2.3.5 w/ Red Hat 5.1 (2.0.34-0.6)

4. Proxy Settings for RedHat and Slackware???

5. rh5.1 kernel 2.0.34-0.6???

6. RH 4.2, 2.0.35, prob. w. Adaptec AHA-3940 SCSI card

7. modutils-2.3.20-0.6.2.1.i386.rpm

8. Xarchie

9. Am I being hacked?

10. am i hacked ??? / strange IP

11. How do I know if I am being hacked[violated]?

12. I am hacked