named exploit? AF_INET in udp sendmsg
jim at rfc1035.com
Mon Mar 27 20:35:29 UTC 2000
>>>>> "Paul" == Paul Reilly <paul at ireland.seds.org> writes:
Paul> I fear our server has been compromised. I think they got in
Paul> through an exploit in named. The following message was on
Paul> the console:
Paul> named forgot to set AF_INET in udp sendmsg. Fix it!
Paul> Can anyone shed any light on this message and say whether
Paul> it's a known security hole in named? We were running version
4.9.3 is *very* old. It is known to have security holes. Take a look
at the ISC's web site or CERT's security advisories. The last release
of BIND 4 was 4.9.7. It came out ~2 years ago.
As for the message on the console, I wouldn't attach much credence to
it at all. It looks like something an attacker created rather than a
message from the system software. Unless you do a complete audit of
the attacked system, there's no way of knowing how or if the system
was compromised. Perhaps the message was a decoy for some other attack
that was used to penetrate your system?
More information about the bind-users