Hide Forgot
Subject: Security Date: Tue, 07 Dec 1999 20:53:12 -0600 From: Lindsay Haisley <fmouse@fmp.com> To: linux@ctlug.org This deserves everyone's immediate attention! >Delivered-To: fmouse@fmp.com >Date: Tue, 07 Dec 1999 11:15:25 -0600 >From: Richard Martin <dmartin@origen.com> >X-Mailer: Mozilla 4.6 [en] (WinNT; I) >X-Accept-Language: en >To: Lindsay Haisley <fmouse@fmp.com> >Subject: Security > >Lindsay, > >I don't know if this is appropriate to post to the list, but it is of >general interest. Please post it if you think appropriate and of >enough general interest. Perhaps we can save someone else the drama >of restoring an entire server. This is all the more disturbing because >I thought I was pretty secure. > >We are running a nameserver under RH 6.0, and our machine was >compromised yesterday through a break-in via BIND. It appears the >attackers entered through a bug in BIND and assumed root privileges >through named. This affects multiple versions of BIND, and there is a >CERT page on it at: > >http://www.cert.org/advisories/CA-99-14-bind.html > >The attackers added two new users; rpc and lpstatd, and bound socket >111 to a binary I could not locate. They flushed the ipchains rulesets >and disabled portsentry on their first visit, then masked their entry >in the log files. du, ps, netstat and ifconfig binaries were changed >to present bogus output. The one login that I was able to track came >from usc.edu (they were notified). > >I became first aware something was wrong when Big Brother reported >that the DNS had crashed. After fiddling with it for more than an >hour of looking at bogus system reports, I ran tripwire and discovered >that the directory ADMROCKS had been added to the named data >directory. when TW showed that several binaries had been changed, game >over, I disconnected the machine. > >Good news, there is already an update for BIND (and one at the RH >site, although it is not listed on the CERT page) > >After rebuilding the machine and restarting, ipchains is bouncing >packets from port 2518 and 2522 from dialup accounts all over the >world (notably france and germany) > >Hope this helps someone. > > >-- >Richard Martin dmartin@origen.com > >OriGen Biomedical Tel: +1 512 474 7278 >2525 Hartford Rd. Fax: +1 512 708 8522 >Austin, TX 78703 http://www.formed.net > > Lindsay Haisley (______) FMP Computer Services (oo) "The bull fmouse@fmp.com /------\/ stops here!" Austin, Texas, USA / | || 512-259-1190 * ||---|| * * * * * * ~~ ~~ http://www.fmp.com **** To unsubscribe from the linux list, send a message containing only the word "unsubscribe" to linux-request@fmp.com. Message # 2 - - - - - - - - - - - - - - - - - - - - - - - Subject: Re: Security Date: Wed, 8 Dec 1999 09:40:39 -0600 From: Lindsay Haisley <fmouse@fmp.com> Organization: FMP Computer Services To: almacen@bellsouth.net References: 1 , 2 I don't know. You need to contact Red Hat. I just passed this on from Richard Martin. Thus spake almacen@bellsouth.net on Wed, Dec 08, 1999 at 07:17:32AM CST > Hi Lindsay, > > Is this 'security hole' also found in RH 6.1, or is it corrected? > > Orlando > = = = = > > Lindsay Haisley wrote: > > > This deserves everyone's immediate attention! > > > > >Delivered-To: fmouse@fmp.com > > >Date: Tue, 07 Dec 1999 11:15:25 -0600 > > >From: Richard Martin <dmartin@origen.com> > > >X-Mailer: Mozilla 4.6 [en] (WinNT; I) > > >X-Accept-Language: en > > >To: Lindsay Haisley <fmouse@fmp.com> > > >Subject: Security > > > > > >Lindsay, > > > > > >We are running a nameserver under RH 6.0, and our machine was > > >compromised yesterday through a break-in via BIND. > -- Lindsay Haisley | "Everything works | PGP public key FMP Computer Services | if you let it" | available at fmouse@fmp.com | (The Roadie) | <http://www.fmp.com/pubkeys> http://www.fmp.com | |
Red Hat issued an update the same day the vulnerability in bind became known. If you want your system to be secure, you will want to keep track of all updates, and probably subscribe to redhat-watch-list@redhat.com and/or linux-security@redhat.com. The missing link in the CERT advisory is annoying, but there's nothing we can do about that, CERT don't update their advisories once they have been issued.