From owner-freebsd-questions Mon Mar 26 7:39: 7 2001 Delivered-To: freebsd-questions@freebsd.org Received: from clmboh1-smtp3.columbus.rr.com (clmboh1-smtp3.columbus.rr.com [65.24.0.112]) by hub.freebsd.org (Postfix) with ESMTP id 603EE37B719 for ; Mon, 26 Mar 2001 07:39:04 -0800 (PST) (envelope-from wmoran@iowna.com) Received: from iowna.com (dhcp065-024-023-038.columbus.rr.com [65.24.23.38]) by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id f2QFaHH26775; Mon, 26 Mar 2001 10:36:18 -0500 (EST) Message-ID: <3ABF62CC.1A8846ED@iowna.com> Date: Mon, 26 Mar 2001 10:39:56 -0500 From: Bill Moran X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway , freebsd-questions@freebsd.org Subject: Re: HEADS UP: BIND 8.2.3 INSECURITY (Re: BIND 8.2.3 Crashing Question) References: <3ABE1342.4A9CDFFF@iowna.com> <20010325143048.C45772@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've talked to the client and scheduled downtime to rebuild this server tonight. I have a few questions concerning this BIND thing, it seems I've missed some things along the road. 1. Can anyone direct me to a specific place where I can find details on the exploits? The best information I've found so far today is on ISC's site and all they say is that this is "critical" and "exploitable". I need to know just how potentially exploitable, so I can assess whether or not to be concerned that the internal network may have been compromised. 2. What's the opinion on BIND-8.2.3 vs. 9.1? I tend to stay away from anything that looks like beta code (notice how I failed to follow that rule and am paying for it) But it seems like every version of BIND has had problems. Is there good reason to go to 9.1? Should I just bite the bullet and try out djbdns? Any opinions are welcome. -Bill Kris Kennaway wrote: > > On Sun, Mar 25, 2001 at 10:48:18AM -0500, Bill Moran wrote: > > > I have also seen trouble with BIND crashing on a 4.2-STABLE machine. > > Looking at it, this is 8.2.3-T6B > > Was that a Beta release? If so, I'd better upgrade before I complain too > > much. I thought I had grabbed a productin release, but I don't even see > > T6B listed on the site. > > Yet another person who has managed to stumble through the minefield > for the past 2 months oblivious to the screams of everyone else to > stop. Those crashes are root exploit attempts, possibly successful > ones. See the security advisory from 2 months ago, and please > subscribe to one of the mailing lists which carries them to save > yourself the trouble and embarrassment in the future (see > www.freebsd.org/security). > > 8.2.3-REL is the *only* BIND 8 version which isn't vulnerable to this! > > Sorry to rant at you, Bill, but the number of times this question has > been answered on FreeBSD lists, the amount of mainstream and internet > media coverage this problem got, and the amount of information about > the topic available on the internet makes me wonder just what it takes > to get through to people. > > Chances are your machine(s) have been compromised, and you should > treat it as such: back up the data, wipe the machine and reinstall it > from trusted media, then selectively restore the data, being careful > not to reinstall anything corrupted by the attacker. > > Kris > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message