"Dave Clendenan": [BIND-BUGS #931] attack on my nameserver

Paul A Vixie vixie at mibh.net
Sat Jun 3 16:22:27 UTC 2000


anybody else seen this?

------- Forwarded Message

Return-Path: clendenan at squirrel.ipbay.com
Received: from box.mfnx.net (box.mfnx.net [204.152.184.227]) 
	by redpaul.mibh.net (8.9.3/8.9.1) via ESMTP id VAA35383
	for <vixie at redpaul.mibh.net>; Fri, 2 Jun 2000 21:54:55 -0700 (PDT)
	env-from (clendenan at squirrel.ipbay.com)
Received: from bb.rc.vix.com (bb.rc.vix.com [204.152.187.11]) 
	by box.mfnx.net (8.9.3/8.9.1) via ESMTP id VAA04937
	for <vixie at mibh.net>; Fri, 2 Jun 2000 21:54:55 -0700 (PDT)
	env-from (clendenan at squirrel.ipbay.com)
Received: 
	by bb.rc.vix.com (8.9.1/8.9.1) id VAA26054
	for bind-bugs-dist at isc.org; Fri, 2 Jun 2000 21:54:54 -0700 (PDT)
	env-from (clendenan at squirrel.ipbay.com)
Received: from isrv3.isc.org (isrv3.isc.org [204.152.184.87]) 
        by bb.rc.vix.com (8.9.1/8.9.1) via ESMTP id VAA26049
        for <bind-bugs-isc at bb.rc.vix.com>; Fri, 2 Jun 2000 21:54:49 -0700 (PDT)
        env-from (clendenan at squirrel.ipbay.com)
Received: from squirrel.ipbay.com (cr171684-a.crdva1.bc.wave.home.com [24.113.181.105]) 
        by isrv3.isc.org (8.9.1/8.9.1) via ESMTP id VAA20902
        for <bind-bugs at isc.org>; Fri, 2 Jun 2000 21:54:48 -0700 (PDT)
        env-from (clendenan at squirrel.ipbay.com)
Received: from flea (flea.familydomain [192.168.237.10])
        by squirrel.ipbay.com (8.9.3/8.8.7) with SMTP id VAA08335
        for <bind-bugs at isc.org>; Fri, 2 Jun 2000 21:55:10 -0700
From: "Dave Clendenan" <clendenan at squirrel.ipbay.com>
To: <bind-bugs at isc.org>
Subject: [BIND-BUGS #931] attack on my nameserver
Date: Fri, 2 Jun 2000 21:55:38 -0700
Message-Id: <NEBBJACBBMHNBCLCEIAACELJCBAA.clendenan at squirrel.ipbay.com>
Mime-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300
Cc: bind-bugs at isc.org

Hi

last weekend my server was attacked, and the means 
of entry seemed to be bind 8.2.2-P5
yup, the latest bind.

the telltale 'ADMROCKS' directory was left in 
/var/named.

It seems from my research that the problem was mostly that I'd
run with the default (allow recursion and fetch-glue requests, 
run as root) settings.

Everything I've read since says don't do any of these things.

Have I been reading the wrong info, or are the defaults kinda
lame?

Please respond, I'm most curious about this...

thanks,

Dave


------- End of Forwarded Message




More information about the bind-workers mailing list