older security bug in bind?
Kevin Darcy
kcd at daimlerchrysler.com
Tue May 2 21:48:14 UTC 2000
Duane Cox wrote:
> Hello
>
> I run the latest versin of bind on our nameservers,
> but I did have a caching only ns running bind 8.2-6
> Somehow someone did get access to the box by some process I am not sure of, I just suspect named.
>
> There was a process running /dev/.../ns that i have deleted, the funny thing is who ever done this
> somehow got access to destroy (possibly alter.. ??) the in.telnetd process ,
> because in.telnetd was NOT authenticating from the /etc/passwd list of users..
>
> is it possible that this older version of bind could allow someone to do that.. it was running via default settings.. (root)
What does "8.2-6" mean? I don't recall BIND 8.2 having more than one patch release. According to the BIND vulnerability
"matrix of doom" on http://www.isc.org/products/BIND/bind-security-19991108.html, BIND 8.2, 8.2p1 and 8.2.1 all have the NXT
vulnerability which allows attackers to potentially gain system access with the privileges of the "named" process; in your
case, root.
- Kevin
More information about the bind-users
mailing list