/var partition overflow (due to spyware?) in FreeBSD default install

From: Brett Glass (brett_at_lariat.org)
Date: 10/24/03

  • Next message: Garance A Drosihn: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"
    Date: Thu, 23 Oct 2003 16:41:21 -0600
    To: security@freebsd.org
    
    

    All:

    I'm posting this to FreeBSD-security (rather than FreeBSD-net) because
    the problems I'm seeing appear to have been caused by spyware, and
    because they constitute a possible avenue for denial of service on
    FreeBSD machines with default installs of the operating system.

    Several of the FreeBSD machines on our network began to act strangely
    during the past week. Some have started to refuse mail; in other cases,
    important daemons have died without warning. All of the machines are
    running 4.x releases of FreeBSD with all recent patches installed, and
    all are running the version of BIND supplied with FreeBSD. The "top"
    command, when run on these machines, showed that BIND is consuming very
    large amounts of CPU time, but this by itself couldn't explain all of the
    symptoms we were seeing.

    This afternoon, I examined the machines and discovered the problem: full
    /var partitions caused by huge /var/log/messages files.

    Inspection of the files reveals hundreds of thousands of messages of the form:

    Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
    (ns0.opennic.glue)
    Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
    (ns1.opennic.glue)
    Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
    (ns3.opennic.glue)
    Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
    (ns4.opennic.glue)
    Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
    (ns6.opennic.glue)
    Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
    (ns7.opennic.glue)
    Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
    (ns8.opennic.glue)
    Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
    (ns11.opennic.glue)
    Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
    (ns10.opennic.glue)
    Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
    (ns11.opennic.glue)

    The references to OpenNIC have caused me to suspect (though I have not
    verified it yet) that the problem is due to the New.Net spyware, which
    causes Windows machines to query OpenNIC's name servers. From what I've
    read so far, it appears that New.Net is "foistware" -- that is, it can be
    installed on innocent users' Windows machines without their consent via
    holes in Internet Explorer. But if New.Net is not what's responsible,
    SOMETHING certainly seems to be generating bogus DNS queries, which in
    turn are causing these messages.

    FreeBSD currently comes configured, in the default install, to check
    /var/messages only once a day, and to rotate the log file if it's above a
    certain size. Unfortunately, these messages accumulate so rapidly that
    this is not sufficient; the /var partition in the default install can
    easily be overflowed long before the log is rotated, causing
    malfunctions. I've temporarily changed /etc/crontab so that newsyslog is
    run every 5 minutes instead of once a day (which may be a good idea to
    prevent other denials of service via this sort of overflow as well). But
    it also makes sense to patch the system so that it does not fill so many
    verbose messages -- and/or to ignore the bogus queries generated by the
    spyware. It may also pay to patch BIND to limit the overhead that is
    incurred when such queries occur. Ideas?

    --Brett Glass

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Garance A Drosihn: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"

    Relevant Pages

    • Re: FreeBSD Security Survey
      ... It's hard to make a good case for automatic updates when manual ... I have three machines, all on different hardware ... Being a broke college student I don't think that's something I'd ever do to install updates on my boxes. ... I still say it would be best for all to ahve something in FreeBSD similar to Slackware where yuo just use wget or smoething to grab a patch .tgz file and use upgradepkg to install it without having to do this. ...
      (FreeBSD-Security)
    • Re: management
      ... from FreeBSD to OpenBSD site-wide. ... Jr and the NetworkAdmin moved an IP from one server to ... If the machines are all similar then ... and then install the packages. ...
      (freebsd-isp)
    • Re: [opensuse] Opensuse 11.0 Boot iso
      ... [opensuse] Opensuse 11.0 Boot iso ... It's not just old machines. ... I recently paid almost $3k for a great little sub-note, the very latest of everything, that couldn't install the very latest freebsd, ... In that case it was because the built in dvd is really connected via usb internally, not ide or sata and the freebsd boot loader chokes on it. ...
      (SuSE)
    • Re: FreeBSD 6.x and HP?
      ... I will check this out tomorrow when I have a chance as the machines themselves aren't at my home. ... When trying to install FreeBSD 6.x AMD64, as these boxes look to have the Woodcrest core Xeon CPUs, which support EMT64T, I have encountered the following issues. ...
      (freebsd-current)
    • Re: Performance 4.x vs. 6.x
      ... I have over 800 nodes installed in the field with FreeBSD 6.0 running ... as routers on silly little 1.3Ghz machines with 256MB of RAM. ... regardless of the fact the hardware is fast. ... > support a lot of newer harder. ...
      (freebsd-performance)