[2293] in linux-security and linux-alert archive
[linux-security] Security problems in bind -- persisting?
daemon@ATHENA.MIT.EDU (Graham Higgins)
Mon Jan 3 18:27:33 2000
Mime-Version: 1.0
Message-Id: <v04210104b49684f15b6a@[194.105.65.9]>
In-Reply-To: <Pine.LNX.4.10.9911112320500.12227-100000@boss.moongroup.org>
Date: Mon, 3 Jan 2000 17:04:54 +0000
To: linux-security@redhat.com
From: Graham Higgins <gjh@bel-epa.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Resent-From: linux-security@redhat.com
At 11:21 pm -0500 on 11/11/99, you wrote:
>Synopsis: Security problems in bind
>Advisory ID: RHSA-1999:054-01
>Issue date: 1999-11-11
Despite the release of bind-8.2.2_P3-1, it would appear that at least
the RedHat binary rpm may still be vulnerable.
We run a RedHat 6.0/6.1 system and named (that's bind-8.2.2_P3-1) was
down this morning. When I went to the named directory to check before
restarting, I noticed a directory:
drwxr-xr-x 2 root root 1024 Jan 2 23:47 ADMROCKS/
had appeared and logcheck reported:
**Unmatched Entries**
Jan 2 23:47:59 bel bash[346]: Remote execution attempt from 194.102.200.1
I can't find any traces of activity in wtmp (but with a shell spawned
from named, I'm not likely to am I?) and tripwire isn't reporting
anything untoward in the directories it is assigned to check.
Nevertheless, I am a bit spooked. Has anyone else seen this attack?
Cheers,
Graham Higgins
--------------
Bel EPA Bristol, UK.
http://bel-epa.com
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
