Date: Sat, 2 May 1998 12:12:42 +1200 From: andrew@squiz.co.nz (Andrew McNaughton) To: isp@FreeBSD.ORG Subject: Re: Named disappeared Message-ID: <v02120d00b17013b04ffd@[203.96.56.186]>
next in thread | raw e-mail | index | archive | help
>> We also had two of our nameservers, one in Melbourne and one in Canberra go >> down within seconds of each other. >> >> May 1 19:51:29 canberra /kernel: pid 70: named: uid 0: exited on signal 11 >> May 1 19:51:32 wizard /kernel.256: pid 70 (named), uid 0: exited on >>signal 11 >> >> This appears a global problem. > > >This looks more and more like somebody out there is launching a large-scale >attack against the security problems outlined in the recent CERT advisory. >Unless I'm reading the advisory wrong, a "signal 11" crash is certainly one >of the possible outcomes of somebody hitting your nameservers with an exploit >directed at these problems. So has anyone looked to see where the last packets to the named port came from? Correlations there would tend to confirm the hacker theory. Andrew McNaughton ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Andrew McNaughton = ++64 4 389 6891 Any sufficiently advanced = andrew@squiz.co.nz bug is indistinguishable = http://www.squiz.co.nz from a feature. = http://www.newsroom.co.nz -- Rich Kulawiec = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v02120d00b17013b04ffd>