Something new? bind dos? exploit?

• Previous message: Alexander Kiwerski: "Re: buddylinks worm"
• Next in thread: jlewis_at_lewis.org: "Re: Something new? bind dos? exploit?"
• Reply: jlewis_at_lewis.org: "Re: Something new? bind dos? exploit?"
• Reply: Dennis Opacki: "Re: Something new? bind dos? exploit?"
• Maybe reply: Henrik Johansen: "Re: Something new? bind dos? exploit?"
• Maybe reply: Jeffrey Monahan: "Re: Something new? bind dos? exploit?"
• Maybe reply: Dan Merillat: "Re: Something new? bind dos? exploit?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 13 Feb 2004 07:06:59 -0500
To: incidents@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

~From the logs;

Feb 13 06:55:40 hostname named[12631]: socket.c:1100: unexpected error:
Feb 13 06:55:40 hostname named[12631]: internal_send:
244.254.254.254#53: Invalid argument

First noticed this yesterday on one of my "just for fun"
machines. Bind 9.1.3 just up and died after about 6 months
of painless trouble free uptime with this last gasp
in the logs;

Feb 11 19:57:39 ns named[4162]: message.c:782: REQUIRE(*rdataset ==
((void *)0)) failed
Feb 11 19:57:39 ns named[4162]: exiting (due to assertion failure)

I've since built 9.2.3 for this box, after checking for root
kits, and the usual suspects. (I got stung pretty badly about
6 years ago over that bind-4 trojan). Then I noticed
the above log entry.. Never seen these before, going back
2 months in the logs, not ever seen anything like it.

All of my machines running bind 9.1.3 or higher, have not
been touched for months. All of them are seeing this traffic,
including ones not on my subnet.

All are linux, but are running different flavors of the 2.4 kernel,
on different x86 hardware, all running source built bind (that has
otherwise been completely clean for many months).

Any clues? insights? anyone else seeing this?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFALL3hKwBdjKaYQmYRAhs5AJ4k2NacjSxAAcbux0uhKDPJadtf1wCdFLtr
XNnLG4WnskiV00lmcOTqWWs=
=nm3+
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content, and is believed to be clean.
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

• Previous message: Alexander Kiwerski: "Re: buddylinks worm"
• Next in thread: jlewis_at_lewis.org: "Re: Something new? bind dos? exploit?"
• Reply: jlewis_at_lewis.org: "Re: Something new? bind dos? exploit?"
• Reply: Dennis Opacki: "Re: Something new? bind dos? exploit?"
• Maybe reply: Henrik Johansen: "Re: Something new? bind dos? exploit?"
• Maybe reply: Jeffrey Monahan: "Re: Something new? bind dos? exploit?"
• Maybe reply: Dan Merillat: "Re: Something new? bind dos? exploit?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]