named exploit? AF_INET in udp sendmsg

Jim Reid jim at
Mon Mar 27 20:35:29 UTC 2000

>>>>> "Paul" == Paul Reilly <paul at> writes:

    Paul> I fear our server has been compromised. I think they got in
    Paul> through an exploit in named. The following message was on
    Paul> the console:

    Paul> named forgot to set AF_INET in udp sendmsg. Fix it!

    Paul> Can anyone shed any light on this message and say whether
    Paul> it's a known security hole in named? We were running version
    Paul> 4.9.3

4.9.3 is *very* old. It is known to have security holes. Take a look
at the ISC's web site or CERT's security advisories. The last release
of BIND 4 was 4.9.7. It came out ~2 years ago.

As for the message on the console, I wouldn't attach much credence to
it at all. It looks like something an attacker created rather than a
message from the system software. Unless you do a complete audit of
the attacked system, there's no way of knowing how or if the system
was compromised. Perhaps the message was a decoy for some other attack
that was used to penetrate your system?

More information about the bind-users mailing list