Bug 7689 - Security
Security
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: bind (Show other bugs)
6.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-12-08 15:49 EST by almacen
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-12-09 05:52:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description almacen 1999-12-08 15:49:39 EST
Subject:
        Security
   Date:
        Tue, 07 Dec 1999 20:53:12 -0600
   From:
        Lindsay Haisley <fmouse@fmp.com>
     To:
        linux@ctlug.org




This deserves everyone's immediate attention!

>Delivered-To: fmouse@fmp.com
>Date: Tue, 07 Dec 1999 11:15:25 -0600
>From: Richard Martin <dmartin@origen.com>
>X-Mailer: Mozilla 4.6 [en] (WinNT; I)
>X-Accept-Language: en
>To: Lindsay Haisley <fmouse@fmp.com>
>Subject: Security
>
>Lindsay,
>
>I don't know if this is appropriate to post to the list, but it is of
>general interest.  Please post it if you think appropriate and of
>enough general interest.  Perhaps we can save someone else the drama
>of restoring an entire server. This is all the more disturbing because
>I thought I was pretty secure.
>
>We are running a nameserver under RH 6.0, and our machine was
>compromised yesterday  through a break-in via BIND.  It appears the
>attackers entered through a bug in BIND and assumed root privileges
>through named. This affects multiple versions of BIND, and there is a
>CERT page on it at:
>
>http://www.cert.org/advisories/CA-99-14-bind.html
>
>The attackers added two new users; rpc and lpstatd, and bound socket
>111 to a binary I could not locate. They flushed the ipchains rulesets
>and disabled portsentry on their first visit, then masked their entry
>in the log files.  du, ps, netstat and ifconfig binaries were changed
>to present bogus output. The one login that I was able to track came
>from usc.edu (they were notified).
>
>I became first aware something was wrong when Big Brother reported
>that the DNS had crashed.  After fiddling with it for more than an
>hour of looking at bogus system reports, I ran tripwire and discovered
>that the directory ADMROCKS had been added to the named data
>directory. when TW showed that several binaries had been changed, game
>over, I disconnected the machine.
>
>Good news, there is already an update for BIND (and one at the RH
>site, although it is not listed on the CERT page)
>
>After rebuilding the machine and restarting, ipchains is bouncing
>packets from port  2518 and 2522 from dialup accounts all over the
>world (notably france and germany)
>
>Hope this helps someone.
>
>
>--
>Richard Martin       dmartin@origen.com
>
>OriGen Biomedical    Tel: +1 512 474 7278
>2525 Hartford Rd.    Fax: +1 512 708 8522
>Austin, TX 78703     http://www.formed.net
>
>
Lindsay Haisley                   (______)
FMP Computer Services               (oo)        "The bull
fmouse@fmp.com                /------\/            stops here!"
Austin, Texas, USA           / |    ||
512-259-1190                *  ||---||             * * * * * *
                               ~~   ~~        http://www.fmp.com
****
To unsubscribe from the linux list, send a message containing
only the word "unsubscribe" to linux-request@fmp.com.



Message # 2
- - - - - - - - - - - - - - - - - - - - - - -
Subject:
             Re: Security
        Date:
             Wed, 8 Dec 1999 09:40:39 -0600
       From:
             Lindsay Haisley <fmouse@fmp.com>
 Organization:
             FMP Computer Services
         To:
             almacen@bellsouth.net
  References:
             1 , 2




I don't know.  You need to contact Red Hat.  I just passed this on from
Richard Martin.

Thus spake almacen@bellsouth.net on Wed, Dec 08, 1999 at 07:17:32AM CST
> Hi Lindsay,
>
> Is this 'security hole' also found in RH 6.1, or is it corrected?
>
> Orlando
> = = = =
>
> Lindsay Haisley wrote:
>
> > This deserves everyone's immediate attention!
> >
> > >Delivered-To: fmouse@fmp.com
> > >Date: Tue, 07 Dec 1999 11:15:25 -0600
> > >From: Richard Martin <dmartin@origen.com>
> > >X-Mailer: Mozilla 4.6 [en] (WinNT; I)
> > >X-Accept-Language: en
> > >To: Lindsay Haisley <fmouse@fmp.com>
> > >Subject: Security
> > >
> > >Lindsay,
> > >
> > >We are running a nameserver under RH 6.0, and our machine was
> > >compromised yesterday  through a break-in via BIND.
>

--
Lindsay Haisley       | "Everything works    |     PGP public key
FMP Computer Services |       if you let it" |      available at
fmouse@fmp.com        |    (The Roadie)      | <http://www.fmp.com/pubkeys>
http://www.fmp.com    |                      |
Comment 1 Bernhard Rosenkraenzer 1999-12-09 05:52:59 EST
Red Hat issued an update the same day the vulnerability in bind became known.
If you want your system to be secure, you will want to keep track of all
updates, and probably subscribe to redhat-watch-list@redhat.com and/or
linux-security@redhat.com.

The missing link in the CERT advisory is annoying, but there's nothing we can do
about that, CERT don't update their advisories once they have been issued.

Note You need to log in before you can comment on or make changes to this bug.