Thanks to Mark Allen, Ann Cantelow Edward Silver and Alan E Johannesen for
their
comments as well as others responding to similar threads.
Mark Allen said :
There was a widespread Internet attack using a vulnerable version of
BIND (i.e., those not 4.9.7. or 8.1.2) You should verify immediately
that new and/or suspicious files have not appeared on your system (such
as /usr/lib/libsn.a). The attack ftp'ed a rootkit exploit system and may
have possibly installed a root level X-term backdoor on port 666.
Ann Cantelow confirmed that she had the SAME string in her core dumps
which points the finger, noting that 666 appeared in them. (666 the
devil's sign .......). On this confirmation we mailed cert_at_cert.org with
details.
Fortunately I think if your DNS crashed then the attack was unsuccesful -
at least we had no foreign files and telnetting to port 666 is completely
unsuccesful.
SO, we followed Alan Johannesens and Edward Silvers advice to assess
whether installing 8.1.2 was preferable to having DEC support and we
decided it was.
Compilation was fine for our 3.2c with the DEC compiler but you have to
watch out for the installation as it defaults to a different place. Also
you MUST convert your named.boot to a named.conf which should go in /etc
and not /etc/namedb.
DO NOT USE BINDSETUP again!!
I confim that underscores are not allowed in domain names which brought
three of our clients down and there was quite a bit of tidying to do with
the various host files as obviously the checking is much more thorough.
All in all seems worthwhile.
Stuart cKenzie
Received on Wed May 20 1998 - 17:27:36 NZST