[1764] in linux-security and linux-alert archive
[linux-security] Re: Bind Overrun Bug and Linux
daemon@ATHENA.MIT.EDU (Leigh Porter)
Thu May 21 16:55:14 1998
Date: Tue, 19 May 1998 19:04:32 +0000
From: Leigh Porter <leigh@wisper.net>
To: Peter Kelly <pkelly@ets.net>
Cc: linux-security@redhat.com, support@ss.org
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
Peter Kelly wrote:
> [mod: Just to show you that people DO get bitten after a bugwarning has
> gone out on linux-security..... -- REW]
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Content-Type: text/plain; charset=us-ascii
>
> Has anyone been hit with the Bind Inverse Query Buffer Overrun on
> their Linux servers? We have had 3 servers attacked using this
> expoit and all of the machines had several binaries replaced with
> trojan programs. Below is the cert advisory for the exploit; but
> if anyone needs details under Linux of what happens and how to fix/
> protect your servers, mail me.
I was bitten, looks like the same one too. It was a non-critical machine
that was hit running un-fixed BIND's for playing with.
It seems that the purpotrator used ncftp to get a file called "hide" from various
systems which no longer seem to have this. This file contained an archive of
the trojan's that were inserted into the compromised system - does anybody know
what is in these trojans?
--
Leigh
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null