"Dave Clendenan": [BIND-BUGS #931] attack on my nameserver
Paul A Vixie
vixie at mibh.net
Sat Jun 3 16:22:27 UTC 2000
anybody else seen this?
------- Forwarded Message
Return-Path: clendenan at squirrel.ipbay.com
Received: from box.mfnx.net (box.mfnx.net [204.152.184.227])
by redpaul.mibh.net (8.9.3/8.9.1) via ESMTP id VAA35383
for <vixie at redpaul.mibh.net>; Fri, 2 Jun 2000 21:54:55 -0700 (PDT)
env-from (clendenan at squirrel.ipbay.com)
Received: from bb.rc.vix.com (bb.rc.vix.com [204.152.187.11])
by box.mfnx.net (8.9.3/8.9.1) via ESMTP id VAA04937
for <vixie at mibh.net>; Fri, 2 Jun 2000 21:54:55 -0700 (PDT)
env-from (clendenan at squirrel.ipbay.com)
Received:
by bb.rc.vix.com (8.9.1/8.9.1) id VAA26054
for bind-bugs-dist at isc.org; Fri, 2 Jun 2000 21:54:54 -0700 (PDT)
env-from (clendenan at squirrel.ipbay.com)
Received: from isrv3.isc.org (isrv3.isc.org [204.152.184.87])
by bb.rc.vix.com (8.9.1/8.9.1) via ESMTP id VAA26049
for <bind-bugs-isc at bb.rc.vix.com>; Fri, 2 Jun 2000 21:54:49 -0700 (PDT)
env-from (clendenan at squirrel.ipbay.com)
Received: from squirrel.ipbay.com (cr171684-a.crdva1.bc.wave.home.com [24.113.181.105])
by isrv3.isc.org (8.9.1/8.9.1) via ESMTP id VAA20902
for <bind-bugs at isc.org>; Fri, 2 Jun 2000 21:54:48 -0700 (PDT)
env-from (clendenan at squirrel.ipbay.com)
Received: from flea (flea.familydomain [192.168.237.10])
by squirrel.ipbay.com (8.9.3/8.8.7) with SMTP id VAA08335
for <bind-bugs at isc.org>; Fri, 2 Jun 2000 21:55:10 -0700
From: "Dave Clendenan" <clendenan at squirrel.ipbay.com>
To: <bind-bugs at isc.org>
Subject: [BIND-BUGS #931] attack on my nameserver
Date: Fri, 2 Jun 2000 21:55:38 -0700
Message-Id: <NEBBJACBBMHNBCLCEIAACELJCBAA.clendenan at squirrel.ipbay.com>
Mime-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300
Cc: bind-bugs at isc.org
Hi
last weekend my server was attacked, and the means
of entry seemed to be bind 8.2.2-P5
yup, the latest bind.
the telltale 'ADMROCKS' directory was left in
/var/named.
It seems from my research that the problem was mostly that I'd
run with the default (allow recursion and fetch-glue requests,
run as root) settings.
Everything I've read since says don't do any of these things.
Have I been reading the wrong info, or are the defaults kinda
lame?
Please respond, I'm most curious about this...
thanks,
Dave
------- End of Forwarded Message
More information about the bind-workers
mailing list