Re: Something new? bind dos? exploit?

From: Dennis Opacki (dopacki_at_adotout.com)
Date: 02/14/04

  • Next message: Henrik Johansen: "Re: Something new? bind dos? exploit?" 
    Date: Sat, 14 Feb 2004 07:18:30 -0500
To: Chip Mefford <cmefford@avwashington.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Chip,

    We began seeing this in our logs earlier this week and investigated.
    The errors we were seeing were related to:

    bogus-maximus.monkeys.com. 79679 A 244.254.254.254

    Upon contacting the domain owner, he informed us that he recently ran a
    DNS spam blacklist, which was DoS'd out of existence by angry spammers.
    Even after he shut the blacklist down, he was still seeing a large
    amount of queries from folks configured to use the list. The solution
    he selected to the shunt away the traffic was to return the above bogus
    record.

    The following seems to corroborate his story (sorry for the wrapped
    link):

    http://groups.google.com/groups?
    q=%22Now+retired+from+spam+fighting%22&hl=en&lr=&ie=UTF-8&oe=UTF
    - -8&selm=vn1lufn8h6r38%40corp.supernews.com&rnum=4

    Interestingly enough, only our Bind 9 resolvers seem to have a problem
    with it.

    - -Dennis

    On Feb 13, 2004, at 7:06 AM, Chip Mefford wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    >
    > ~From the logs;
    >
    >
    > Feb 13 06:55:40 hostname named[12631]: socket.c:1100: unexpected error:
    > Feb 13 06:55:40 hostname named[12631]: internal_send:
    > 244.254.254.254#53: Invalid argument
    >
    >
    > First noticed this yesterday on one of my "just for fun"
    > machines. Bind 9.1.3 just up and died after about 6 months
    > of painless trouble free uptime with this last gasp
    > in the logs;
    >
    > Feb 11 19:57:39 ns named[4162]: message.c:782: REQUIRE(*rdataset ==
    > ((void *)0)) failed
    > Feb 11 19:57:39 ns named[4162]: exiting (due to assertion failure)
    >
    > I've since built 9.2.3 for this box, after checking for root
    > kits, and the usual suspects. (I got stung pretty badly about
    > 6 years ago over that bind-4 trojan). Then I noticed
    > the above log entry.. Never seen these before, going back
    > 2 months in the logs, not ever seen anything like it.
    >
    > All of my machines running bind 9.1.3 or higher, have not
    > been touched for months. All of them are seeing this traffic,
    > including ones not on my subnet.
    >
    > All are linux, but are running different flavors of the 2.4 kernel,
    > on different x86 hardware, all running source built bind (that has
    > otherwise been completely clean for many months).
    >
    > Any clues? insights? anyone else seeing this?
    >
    >
    >
    >
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.4 (GNU/Linux)
    > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    >
    > iD8DBQFALL3hKwBdjKaYQmYRAhs5AJ4k2NacjSxAAcbux0uhKDPJadtf1wCdFLtr
    > XNnLG4WnskiV00lmcOTqWWs=
    > =nm3+
    > -----END PGP SIGNATURE-----
    >
    > --
    > This message has been scanned for viruses and
    > dangerous content, and is believed to be clean.
    >
    >
    > -----------------------------------------------------------------------
    > ----
    > Free trial: Astaro Security Linux -- firewall with Spam/Virus
    > Protection
    >
    > Protect your network with the comprehensive security solution that
    > integrates six applications for ease of use and lower TCO.
    >
    > Firewall - Virus protection - Spam protection - URL blocking - VPN
    > - Wireless security.
    >
    > Download 30-day evaluation at:
    > http://www.astaro.com/php/contact/securityfocus.php
    > -----------------------------------------------------------------------
    > -----
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (Darwin)

    iEYEARECAAYFAkAuEhYACgkQiNpn8q9J2Ddf1QCgkW+ZLC7AJ0JT4bxCcSLALDao
    dTAAoK1zZXm6pJrSOqN5GPxJWeLcdXgt
    =vxFW
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:
    http://www.astaro.com/php/contact/securityfocus.php
    ----------------------------------------------------------------------------

  • Next message: Henrik Johansen: "Re: Something new? bind dos? exploit?"

    Relevant Pages

    • Re: Something new? bind dos? exploit?
      ... >in the logs; ... >Protect your network with the comprehensive security solution that ... >- Wireless security. ... Protect your network with the comprehensive security solution that ...
      (Incidents)
    • RE: IIS Directory traversal vulnerability
      ... Subject: IIS Directory traversal vulnerability ... Hash: SHA1 ... It might help us if you were to include the portion of your IIS logs ...
      (Incidents)
    • Re: Bad news about Tor
      ... the same level of protection with the notable exception that Cotse ... Privacy.LIE logs your ... Secure private internet browsing with no logs of users activity, ... the security is called GRSec, ...
      (alt.privacy)
    • Re: Bad news about Tor
      ... the same level of protection with the notable exception that Cotse ... Privacy.LIE logs your ... every move and the owner jacks off while he's pouring over those logs ... Secure private internet browsing with no logs of users activity, ...
      (alt.privacy)
    • Re: Bad news about Tor
      ... the same level of protection with the notable exception that Cotse ... to compare tor to privacy.LIE ... Privacy.LIE logs your ...
      (alt.privacy)
    • Quantcast