I have an vulnerable bind running on a server (.... I know ! ) . Today the service was not running any more. I found nothing in the logfiles. Could it be that somebody used the exploit to dos the service? How could I find out in the logs? Are there known signatures? Thanks Raffy
At 09:17 AM 2/8/01 +0100, Raffy wrote:
I have an vulnerable bind running on a server (.... I know ! ) . Today the service was not running any more. I found nothing in the logfiles. Could it be that somebody used the exploit to dos the service? How could I find out in the logs? Are there known signatures?
Run out of memory ? http://cr.yp.to/djbdns/ad/unbind.html
I have an vulnerable bind running on a server (.... I know ! ) . Today the service was not running any more. I found nothing in the logfiles. Could it be that somebody used the exploit to dos the service? How could I find out in the logs? Are there known signatures?
You probably won't be able to find out. Update the package as soon as possible. No matter if the exploit was successful or not, it is likely that the daemon does not exist any more. A restart is necessary...
Run out of memory ?
This webpage is particularly ugly. The style lacks describing words in my
vocabulary.
Roman.
--
- -
| Roman Drahtmüller
On Thu, 8 Feb 2001 09:17:55 +0100, you wrote:
I have an vulnerable bind running on a server (.... I know ! ) . Today the
There is (at least) a public xploit (released in Bugtraq) for last bug on Bind. You should update NOW. Perhaps it's too late... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
That "Bind" exploit released on Bugtraq was a trojan, it attacked nai.
Kurt Seifried, seifried@securityportal.com
Securityportal - your focal point for security on the 'net
----- Original Message -----
From: "RoMaN SoFt / LLFB!!"
I have an vulnerable bind running on a server (.... I know ! ) . Today the
There is (at least) a public xploit (released in Bugtraq) for last bug on Bind. You should update NOW. Perhaps it's too late... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Thu, 8 Feb 2001 10:38:27 -0700, you wrote:
That "Bind" exploit released on Bugtraq was a trojan, it attacked nai.
No. You're referring to a former "xploit" posted to bugtraq which
indeed was a trojan.
I'm referring to this one:
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [BUGTRAQ] Fixed BIND TSIG Exploit
From: Jonathan Wilkins
I spent yesterday snowboarding and missed that message =) My bad.
Kurt
----- Original Message -----
From: "RoMaN SoFt / LLFB!!"
That "Bind" exploit released on Bugtraq was a trojan, it attacked nai.
No. You're referring to a former "xploit" posted to bugtraq which
indeed was a trojan.
I'm referring to this one:
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [BUGTRAQ] Fixed BIND TSIG Exploit
From: Jonathan Wilkins
Here is the file that was sent to bugtraq. It's still broken, but I thing someone can get it to work without much work []s Davi On Friday 09 February 2001 16:06, Kurt Seifried wrote:
I spent yesterday snowboarding and missed that message =) My bad.
Kurt
----- Original Message ----- From: "RoMaN SoFt / LLFB!!"
To: "Kurt Seifried" Cc: Sent: Friday, February 09, 2001 1:10 AM Subject: Re: [suse-security] Bind Exploit On Thu, 8 Feb 2001 10:38:27 -0700, you wrote:
That "Bind" exploit released on Bugtraq was a trojan, it attacked nai.
No. You're referring to a former "xploit" posted to bugtraq which indeed was a trojan.
I'm referring to this one:
To: BUGTRAQ@SECURITYFOCUS.COM Subject: [BUGTRAQ] Fixed BIND TSIG Exploit From: Jonathan Wilkins
Date: Wed, 7 Feb 2001 03:11:16 -0500 The posted BIND exploit was crippled and the author seemed a little unclear on the necessary byte ordering.. Attached is a cleaned up version that should make all the kiddies happy..
Jonathan and Ian (at 3:00am)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (6)
-
Davi
-
Irwan Hadi
-
Kurt Seifried
-
Raffy
-
Roman Drahtmueller
-
RoMaN SoFt / LLFB!!