[1764] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Bind Overrun Bug and Linux

daemon@ATHENA.MIT.EDU (Leigh Porter)
Thu May 21 16:55:14 1998

Date: Tue, 19 May 1998 19:04:32 +0000
From: Leigh Porter <leigh@wisper.net>
To: Peter Kelly <pkelly@ets.net>
Cc: linux-security@redhat.com, support@ss.org
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

Peter Kelly wrote:

> [mod: Just to show you that people DO get bitten after a bugwarning has
> gone out on linux-security..... -- REW]
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Content-Type: text/plain; charset=us-ascii
>
> Has anyone been hit with the Bind Inverse Query Buffer Overrun on
> their Linux servers?  We have had 3 servers attacked using this
> expoit and all of the machines had several binaries replaced with
> trojan programs.  Below is the cert advisory for the exploit; but
> if anyone needs details under Linux of what happens and how to fix/
> protect your servers, mail me.

I was bitten, looks like the same one too. It was a non-critical machine
that was hit running un-fixed BIND's for playing with.

It seems that the purpotrator used ncftp to get a file called "hide" from various
systems which no longer seem to have this. This file contained an archive of
the trojan's that were inserted into the compromised system - does anybody know
what is in these trojans?

--
Leigh

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post