Hi,
Specifically, the TSIG off-by-one bug stack overflow in 8.2.x, which is
undergoing wide exploitation at this moment due a large number of
multiple platform, instant root exploits running around, courtesy of
combining this exploit with the infoleak bug reported on the same
software.
If the first "DoS" was successful, are you sure that you have not
been rooted, and the service has since been patched for you?
(kiddiez have a habit of patching the holes they come in by
to keep the machines to themselves.)
I'd recommend you have a closer look at your machine, and perhaps
use a tool like chkrootkit (http://www.chkrootkit.org/) to check
for a multitude of standard rootkits.
Take care,
Andrew
-
Andrew Thomas
office: +27 21 4889820
facsimile: +27 21 4889830
mobile: +27 82 7850166
"One trend that bothers me is the glorification of
stupidity, that the media is reassuring people it's
alright not to know anything. That to me is far more
dangerous than a little pornography on the Internet."
- Carl Sagan
> -----Original Message-----
> From: Devdas Bhagat [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 20, 2001 4:47 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Suspicious Deny's
>
>
> On Tue, 20 Mar 2001, Dan McGinn-Combs spewed into the ether:
> > We have experienced several attempts to kill our
> nameservers over the passed
> > few weeks. The first one was successful. I've noticed in
> my logs that there
> > are a number of hits against all our registered DNS
> boxes... typically a TCP
> > attack looking for a reverse lookup in rapid succession. In
> an "older"
> > version of BIND it apparently caused a NAMED to core dump.
> Upgrade to Bind 8.2.3 or 9.x (the latest please, the previous one had
> a buffer overflow). Refer to the isc.org homepage to find out current
> status. Root exploits for bind 8.2.2x are known to be in the wild
>
> Devdas Bhagat
> --
> The reward of a thing well done is to have done it.
> -- Emerson
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
