Bug 7689 - Security
Summary: Security
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: bind
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-12-08 20:49 UTC by almacen
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 1999-12-09 10:52:32 UTC
Embargoed:


Attachments (Terms of Use)

Description almacen 1999-12-08 20:49:39 UTC
Subject:
        Security
   Date:
        Tue, 07 Dec 1999 20:53:12 -0600
   From:
        Lindsay Haisley <fmouse>
     To:
        linux




This deserves everyone's immediate attention!

>Delivered-To: fmouse
>Date: Tue, 07 Dec 1999 11:15:25 -0600
>From: Richard Martin <dmartin>
>X-Mailer: Mozilla 4.6 [en] (WinNT; I)
>X-Accept-Language: en
>To: Lindsay Haisley <fmouse>
>Subject: Security
>
>Lindsay,
>
>I don't know if this is appropriate to post to the list, but it is of
>general interest.  Please post it if you think appropriate and of
>enough general interest.  Perhaps we can save someone else the drama
>of restoring an entire server. This is all the more disturbing because
>I thought I was pretty secure.
>
>We are running a nameserver under RH 6.0, and our machine was
>compromised yesterday  through a break-in via BIND.  It appears the
>attackers entered through a bug in BIND and assumed root privileges
>through named. This affects multiple versions of BIND, and there is a
>CERT page on it at:
>
>http://www.cert.org/advisories/CA-99-14-bind.html
>
>The attackers added two new users; rpc and lpstatd, and bound socket
>111 to a binary I could not locate. They flushed the ipchains rulesets
>and disabled portsentry on their first visit, then masked their entry
>in the log files.  du, ps, netstat and ifconfig binaries were changed
>to present bogus output. The one login that I was able to track came
>from usc.edu (they were notified).
>
>I became first aware something was wrong when Big Brother reported
>that the DNS had crashed.  After fiddling with it for more than an
>hour of looking at bogus system reports, I ran tripwire and discovered
>that the directory ADMROCKS had been added to the named data
>directory. when TW showed that several binaries had been changed, game
>over, I disconnected the machine.
>
>Good news, there is already an update for BIND (and one at the RH
>site, although it is not listed on the CERT page)
>
>After rebuilding the machine and restarting, ipchains is bouncing
>packets from port  2518 and 2522 from dialup accounts all over the
>world (notably france and germany)
>
>Hope this helps someone.
>
>
>--
>Richard Martin       dmartin
>
>OriGen Biomedical    Tel: +1 512 474 7278
>2525 Hartford Rd.    Fax: +1 512 708 8522
>Austin, TX 78703     http://www.formed.net
>
>
Lindsay Haisley                   (______)
FMP Computer Services               (oo)        "The bull
fmouse                /------\/            stops here!"
Austin, Texas, USA           / |    ||
512-259-1190                *  ||---||             * * * * * *
                               ~~   ~~        http://www.fmp.com
****
To unsubscribe from the linux list, send a message containing
only the word "unsubscribe" to linux-request.



Message # 2
- - - - - - - - - - - - - - - - - - - - - - -
Subject:
             Re: Security
        Date:
             Wed, 8 Dec 1999 09:40:39 -0600
       From:
             Lindsay Haisley <fmouse>
 Organization:
             FMP Computer Services
         To:
             almacen
  References:
             1 , 2




I don't know.  You need to contact Red Hat.  I just passed this on from
Richard Martin.

Thus spake almacen on Wed, Dec 08, 1999 at 07:17:32AM CST
> Hi Lindsay,
>
> Is this 'security hole' also found in RH 6.1, or is it corrected?
>
> Orlando
> = = = =
>
> Lindsay Haisley wrote:
>
> > This deserves everyone's immediate attention!
> >
> > >Delivered-To: fmouse
> > >Date: Tue, 07 Dec 1999 11:15:25 -0600
> > >From: Richard Martin <dmartin>
> > >X-Mailer: Mozilla 4.6 [en] (WinNT; I)
> > >X-Accept-Language: en
> > >To: Lindsay Haisley <fmouse>
> > >Subject: Security
> > >
> > >Lindsay,
> > >
> > >We are running a nameserver under RH 6.0, and our machine was
> > >compromised yesterday  through a break-in via BIND.
>

--
Lindsay Haisley       | "Everything works    |     PGP public key
FMP Computer Services |       if you let it" |      available at
fmouse        |    (The Roadie)      | <http://www.fmp.com/pubkeys>
http://www.fmp.com    |                      |

Comment 1 Bernhard Rosenkraenzer 1999-12-09 10:52:59 UTC
Red Hat issued an update the same day the vulnerability in bind became known.
If you want your system to be secure, you will want to keep track of all
updates, and probably subscribe to redhat-watch-list and/or
linux-security.

The missing link in the CERT advisory is annoying, but there's nothing we can do
about that, CERT don't update their advisories once they have been issued.


Note You need to log in before you can comment on or make changes to this bug.