From owner-freebsd-security@FreeBSD.ORG  Thu Oct 23 15:48:46 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C4BB816A4B3
	for <security@freebsd.org>; Thu, 23 Oct 2003 15:48:46 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B696F43FB1
	for <security@freebsd.org>; Thu, 23 Oct 2003 15:48:45 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id QAA14750;
	Thu, 23 Oct 2003 16:48:34 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.0.0.22.2.20031023162326.04c1e008@localhost>
X-Sender: brett@localhost (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
Date: Thu, 23 Oct 2003 16:41:21 -0600
To: security@freebsd.org
From: Brett Glass <brett@lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: /var partition overflow (due to spyware?) in FreeBSD default
  install
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2003 22:48:47 -0000

All:

I'm posting this to FreeBSD-security (rather than FreeBSD-net) because 
the problems I'm seeing appear to have been caused by spyware, and 
because they constitute a possible avenue for denial of service on 
FreeBSD machines with default installs of the operating system.

Several of the FreeBSD machines on our network began to act strangely 
during the past week. Some have started to refuse mail; in other cases, 
important daemons have died without warning. All of the machines are 
running 4.x releases of FreeBSD with all recent patches installed, and 
all are running the version of BIND supplied with FreeBSD. The "top" 
command, when run on these machines, showed that BIND is consuming very 
large amounts of CPU time, but this by itself couldn't explain all of the 
symptoms we were seeing.

This afternoon, I examined the machines and discovered the problem: full 
/var partitions caused by huge /var/log/messages files.

Inspection of the files reveals hundreds of thousands of messages of the form:

Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
(ns0.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
(ns1.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
(ns3.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
(ns4.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
(ns6.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
(ns7.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
(ns8.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
(ns11.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
(ns10.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
(ns11.opennic.glue)

The references to OpenNIC have caused me to suspect (though I have not 
verified it yet) that the problem is due to the New.Net spyware, which 
causes Windows machines to query OpenNIC's name servers. From what I've 
read so far, it appears that New.Net is "foistware" -- that is, it can be 
installed on innocent users' Windows machines without their consent via 
holes in Internet Explorer. But if New.Net is not what's responsible, 
SOMETHING certainly seems to be generating bogus DNS queries, which in 
turn are causing these messages.

FreeBSD currently comes configured, in the default install, to check 
/var/messages only once a day, and to rotate the log file if it's above a 
certain size. Unfortunately, these messages accumulate so rapidly that 
this is not sufficient; the /var partition in the default install can 
easily be overflowed long before the log is rotated, causing 
malfunctions. I've temporarily changed /etc/crontab so that newsyslog is 
run every 5 minutes instead of once a day (which may be a good idea to 
prevent other denials of service via this sort of overflow as well). But 
it also makes sense to patch the system so that it does not fill so many 
verbose messages -- and/or to ignore the bogus queries generated by the 
spyware. It may also pay to patch BIND to limit the overhead that is 
incurred when such queries occur. Ideas?

--Brett Glass