From owner-freebsd-security  Thu Feb 22 13:22: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1])
	by hub.freebsd.org (Postfix) with ESMTP id F396C37B503
	for <freebsd-security@FreeBSD.ORG>; Thu, 22 Feb 2001 13:21:57 -0800 (PST)
	(envelope-from marc@milestonerdl.com)
Received: from tandem (tandem [204.107.138.1])
	by tandem.milestonerdl.com (8.11.2/8.10.0) with ESMTP id f1MLMtr11114;
	Thu, 22 Feb 2001 15:22:55 -0600 (CST)
Date: Thu, 22 Feb 2001 15:22:55 -0600 (CST)
From: Marc Rassbach <marc@milestonerdl.com>
To: Michael Richards <michael@fastmail.ca>
Cc: Cy.Schubert@uumail.gov.bc.ca, freebsd-security@FreeBSD.ORG
Subject: Re: Bind problems
In-Reply-To: <3A9578A6.000055.93744@frodo.searchcanada.ca>
Message-ID: <Pine.BSF.4.21.0102221521280.11103-100000@tandem.milestonerdl.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Or, you may have been running -u bind -g bind and that works to keep the
lid on things.  (Unless the security team knows that -u -g on bind 8
doesn't help.)

On Thu, 22 Feb 2001, Michael Richards wrote:

> Hi.
> 
> Within minutes of discovering that the version of bind was 
> compromised, it was shut down and an onsite person booted the system 
> from a disk and ran tripwire. Nothing odd. I've been monitoring via 
> the firewall and paying close attention to that machine and there is 
> nothing out of the ordinary going on with it. I have a feeling that 
> people were trying a linux specific exploit and that was merely 
> causing bind to crash.
> 
> -Michael
> 
> > I wouldn't be surprised if your system has already been hacked.
> > 8.2.3-REL has fixed all known (to ISC) security holes.  All
> > previous versions of BIND are vulnerable.  If I (taking my
> > manager's hat off and putting my security officer's hat on) were
> > you I'd do the prudent thing, which is to verify the system was
> > not already hacked or otherwise consider the system suspect until
> > I can prove it otherwise.
> 
> _________________________________________________________________
>      http://fastmail.ca/ - Fast Free Web Email for Canadians


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message