Re: Something new? bind dos? exploit?
From: Jeffrey Monahan (jmonahan_at_onlinemac.com)
Date: 02/16/04
- Previous message: Henrik Johansen: "Re: Something new? bind dos? exploit?"
- Maybe in reply to: Chip Mefford: "Something new? bind dos? exploit?"
- Next in thread: Dan Merillat: "Re: Something new? bind dos? exploit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 16 Feb 2004 20:10:48 -0000 To: incidents@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <402CBDE3.3010308@avwashington.com>
I found the problem with this error showing up on any unix DNS server, if a client was using declude spam software then they need to take out the entry monkeys.com entries out of the configuration file. The company that is handling that spam list did a change so that it would error our with the domain IP of 244.254.254.254 on all there requests.
So if you have any customer or client that is using declude with imail or other NT mail service please let them know to take out all entries for monkeys.com out of there config file.
Jeff Monahan
jmonahan at onlinemac.com
>Received: (qmail 21675 invoked from network); 14 Feb 2004 03:26:40 -0000
>Received: from outgoing2.securityfocus.com (205.206.231.26)
> by mail.securityfocus.com with SMTP; 14 Feb 2004 03:26:40 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 588A79379C; Fri, 13 Feb 2004 09:26:55 -0700 (MST)
>Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <incidents.list-id.securityfocus.com>
>List-Post: <mailto:incidents@securityfocus.com>
>List-Help: <mailto:incidents-help@securityfocus.com>
>List-Unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:incidents-subscribe@securityfocus.com>
>Delivered-To: mailing list incidents@securityfocus.com
>Delivered-To: moderator for incidents@securityfocus.com
>Received: (qmail 22336 invoked from network); 13 Feb 2004 05:54:48 -0000
>Message-ID: <402CBDE3.3010308@avwashington.com>
>Date: Fri, 13 Feb 2004 07:06:59 -0500
>From: Chip Mefford <cmefford@avwashington.com>
>User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113
>X-Accept-Language: en-us, en
>MIME-Version: 1.0
>To: incidents@securityfocus.com
>Subject: Something new? bind dos? exploit?
>X-Enigmail-Version: 0.83.1.0
>X-Enigmail-Supports: pgp-inline, pgp-mime
>Content-Type: text/plain; charset=us-ascii; format=flowed
>Content-Transfer-Encoding: 7bit
>X-RAVMilter-Version: 8.4.1(snapshot 20020919) (video.avwashington.com)
>X-avwashington.com-MailScanner-OpenProtect-Information: Please contact the ISP for more information
>X-avwashington.com-MailScanner-OpenProtect: Found to be clean
>X-MailScanner-MCPCheck:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>
>~From the logs;
>
>
>Feb 13 06:55:40 hostname named[12631]: socket.c:1100: unexpected error:
>Feb 13 06:55:40 hostname named[12631]: internal_send:
>244.254.254.254#53: Invalid argument
>
>
>First noticed this yesterday on one of my "just for fun"
>machines. Bind 9.1.3 just up and died after about 6 months
>of painless trouble free uptime with this last gasp
>in the logs;
>
>Feb 11 19:57:39 ns named[4162]: message.c:782: REQUIRE(*rdataset ==
>((void *)0)) failed
>Feb 11 19:57:39 ns named[4162]: exiting (due to assertion failure)
>
>I've since built 9.2.3 for this box, after checking for root
>kits, and the usual suspects. (I got stung pretty badly about
>6 years ago over that bind-4 trojan). Then I noticed
>the above log entry.. Never seen these before, going back
>2 months in the logs, not ever seen anything like it.
>
>All of my machines running bind 9.1.3 or higher, have not
>been touched for months. All of them are seeing this traffic,
>including ones not on my subnet.
>
>All are linux, but are running different flavors of the 2.4 kernel,
>on different x86 hardware, all running source built bind (that has
>otherwise been completely clean for many months).
>
>Any clues? insights? anyone else seeing this?
>
>
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFALL3hKwBdjKaYQmYRAhs5AJ4k2NacjSxAAcbux0uhKDPJadtf1wCdFLtr
>XNnLG4WnskiV00lmcOTqWWs=
>=nm3+
>-----END PGP SIGNATURE-----
>
>--
>This message has been scanned for viruses and
>dangerous content, and is believed to be clean.
>
>
>---------------------------------------------------------------------------
>Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
>Protect your network with the comprehensive security solution that
>integrates six applications for ease of use and lower TCO.
>
>Firewall - Virus protection - Spam protection - URL blocking - VPN
>- Wireless security.
>
>Download 30-day evaluation at:
>http://www.astaro.com/php/contact/securityfocus.php
>----------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------
- Previous message: Henrik Johansen: "Re: Something new? bind dos? exploit?"
- Maybe in reply to: Chip Mefford: "Something new? bind dos? exploit?"
- Next in thread: Dan Merillat: "Re: Something new? bind dos? exploit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
