From owner-freebsd-security@FreeBSD.ORG Tue Oct 28 04:30:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50AF516A4CE for ; Tue, 28 Oct 2003 04:30:01 -0800 (PST) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 1144843FE1 for ; Tue, 28 Oct 2003 04:30:00 -0800 (PST) (envelope-from greg.panula@lexisnexis.com) Received: (qmail 25461 invoked by uid 0); 28 Oct 2003 12:29:59 -0000 Received: from greg.panula@lexisnexis.com by proxy by uid 82 with qmail-scanner-1.16 ( Clear:. Processed in 1.904246 secs); 28 Oct 2003 12:29:59 -0000 X-Qmail-Scanner-Mail-From: greg.panula@lexisnexis.com via proxy X-Qmail-Scanner-Rcpt-To: brett@lariat.org,security@freebsd.org X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.904246 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 28 Oct 2003 12:29:56 -0000 Received: from lexisnexis.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 28 Oct 2003 06:29:56 -0600 Message-ID: <3F9E6144.2080206@lexisnexis.com> Date: Tue, 28 Oct 2003 06:29:56 -0600 From: "G. Panula" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030918 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brett Glass References: <6.0.0.22.2.20031023162326.04c1e008@localhost> In-Reply-To: <6.0.0.22.2.20031023162326.04c1e008@localhost> X-Enigmail-Version: 0.76.7.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 12:30:01 -0000 Brett Glass wrote: > All: > > I'm posting this to FreeBSD-security (rather than FreeBSD-net) because > the problems I'm seeing appear to have been caused by spyware, and > because they constitute a possible avenue for denial of service on > FreeBSD machines with default installs of the operating system. > > Several of the FreeBSD machines on our network began to act strangely > during the past week. Some have started to refuse mail; in other cases, > important daemons have died without warning. All of the machines are > running 4.x releases of FreeBSD with all recent patches installed, and > all are running the version of BIND supplied with FreeBSD. The "top" > command, when run on these machines, showed that BIND is consuming very > large amounts of CPU time, but this by itself couldn't explain all of > the symptoms we were seeing. > > This afternoon, I examined the machines and discovered the problem: full > /var partitions caused by huge /var/log/messages files. > > Inspection of the files reveals hundreds of thousands of messages of the > form: > > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns0.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns1.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns3.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns4.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns6.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns7.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns8.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns11.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns10.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns11.opennic.glue) > > The references to OpenNIC have caused me to suspect (though I have not > verified it yet) that the problem is due to the New.Net spyware, which > causes Windows machines to query OpenNIC's name servers. From what I've > read so far, it appears that New.Net is "foistware" -- that is, it can > be installed on innocent users' Windows machines without their consent > via holes in Internet Explorer. But if New.Net is not what's > responsible, SOMETHING certainly seems to be generating bogus DNS > queries, which in turn are causing these messages. > > FreeBSD currently comes configured, in the default install, to check > /var/messages only once a day, and to rotate the log file if it's above > a certain size. Unfortunately, these messages accumulate so rapidly that > this is not sufficient; the /var partition in the default install can > easily be overflowed long before the log is rotated, causing > malfunctions. I've temporarily changed /etc/crontab so that newsyslog is > run every 5 minutes instead of once a day (which may be a good idea to > prevent other denials of service via this sort of overflow as well). But > it also makes sense to patch the system so that it does not fill so many > verbose messages -- and/or to ignore the bogus queries generated by the > spyware. It may also pay to patch BIND to limit the overhead that is > incurred when such queries occur. Ideas? > Wouldn't a better work-around be either add ns*.opennic.glue addresses to named.root or setup a dummy zone for .glue that just returns a localhost address to the client? Or a possible solution would be to setup bind to log directly to its own log files and rotate them when needed and turn off logging to syslog. Bind8&9 allow for logging of various messages to different files and letting bind rotate them when needed. Check out the Bind documention. There is a helpful example available at: http://logreport.org/doc/gen/dns/bind8.php Here's a quick example from bind9: # This setups logging options # general info is logged to both syslog and a local file # info about lame-servers is sent to /dev/null logging { channel named_log { file "/var/named/named.log" versions 5 size 1m; severity info; print-time yes; }; channel null { null; }; category "default" { "named_log"; default_syslog; }; category "lame-servers" { "null"; }; }; I guess as an improvement on the default named.conf, it could include an example section on logging options. greg