From owner-freebsd-isp  Fri May  1 17:10:39 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA23668
          for freebsd-isp-outgoing; Fri, 1 May 1998 17:10:39 -0700 (PDT)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from mail.actrix.gen.nz (root@mail.actrix.gen.nz [203.96.16.37])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA23650
          for <isp@freebsd.org>; Fri, 1 May 1998 17:10:32 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from [203.96.56.186] (aniwa.actrix.gen.nz [203.96.56.186])
	by mail.actrix.gen.nz (8.8.8/8.8.5) with SMTP id MAA00305
	for <isp@freebsd.org>; Sat, 2 May 1998 12:10:24 +1200 (NZST)
X-Sender: squiz1@mail.actrix.gen.nz
Message-Id: <v02120d00b17013b04ffd@[203.96.56.186]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sat, 2 May 1998 12:12:42 +1200
To: isp@FreeBSD.ORG
From: andrew@squiz.co.nz (Andrew McNaughton)
Subject: Re: Named disappeared
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>> We also had two of our nameservers, one in Melbourne and one in Canberra go
>> down within seconds of each other.
>>
>> May  1 19:51:29 canberra /kernel: pid 70: named: uid 0: exited on signal 11
>> May  1 19:51:32 wizard /kernel.256: pid 70 (named), uid 0: exited on
>>signal 11
>>
>> This appears a global problem.
>
>
>This looks more and more like somebody out there is launching a large-scale
>attack against the security problems outlined in the recent CERT advisory.
>Unless I'm reading the advisory wrong, a "signal 11" crash is certainly one
>of the possible outcomes of somebody hitting your nameservers with an exploit
>directed at these problems.

So has anyone looked to see where the last packets to the named port came
from?  Correlations there would tend to confirm the hacker theory.

Andrew McNaughton

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Andrew McNaughton                                          =
++64 4 389 6891                 Any sufficiently advanced  =
andrew@squiz.co.nz               bug is indistinguishable  =
http://www.squiz.co.nz             from a feature.         =
http://www.newsroom.co.nz                -- Rich Kulawiec  =




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message