RE: BIND Crash

From: Mark Ng (laptopalias1-markat_private)
Date: Thu May 15 2003 - 14:44:15 PDT

Next message: Manuel Fernandes: "RE: tcp/554 scans"

Previous message: Mark Ng: "RE: BIND Crash"
Reply: Lee Evans: "RE: BIND Crash"
Reply: Chris Phillips: "RE: BIND Crash"
Reply: Gaby Vanhegan: "Re: BIND Crash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've seen this today too.  One of my clients DNS servers has crashed twice
in the same day, both times with the same message (or very similar)

May 14 21:19:19 bilbo2 named[9491]: ns_resp.c:3946: ENSURE(cp <= eom_out)
failed.

I've not seen the file in /tmp on this machine however.  I'm looking to see
if there have been any similar problems on any of their other machines.

Will report if I see anything else.

-----Original Message-----
From: Gaby Vanhegan [mailto:gaby.vanheganat_private]
Sent: 15 May 2003 09:05
To: incidentsat_private
Subject: BIND Crash


Odd one this:

I have three servers running BIND 8.3.  All of the bind processes crashed at
around the same time with this message in  /var/log/messages and
/var/log/warn:

May 14 15:15:58 swallow named[395]: ns_resp.c:3924: ENSURE(cp <= eom_out)
failed.
May 14 15:15:58 swallow named[395]: ns_resp.c:3924: ENSURE(cp <= eom_out)
failed.

I got the same message on each machine at around the same time (within 10
mins) which suggests an address scan of some sort on port 53.  Each of the
machines had a file in /tmp with some code in:

a|O:1:"a":1:{s:4:"test";s:5:"hallo";}b|O:1:"b":1:{s:1:"a";R:1;}

Which looks pretty much like something I don't want on any of my machines.
Has anyone experienced anything similar?  There is nothing about this on
CERT or SecurityFocus, but I'm still looking.  It basically shut down our
DNS service, but didn't seem to get much farther.

I've increased the logging level so I can find out what's going on if and
when it happens again.  Has anyone had anything similar?




----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------

Next message: Manuel Fernandes: "RE: tcp/554 scans"
Previous message: Mark Ng: "RE: BIND Crash"
Reply: Lee Evans: "RE: BIND Crash"
Reply: Chris Phillips: "RE: BIND Crash"
Reply: Gaby Vanhegan: "Re: BIND Crash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 15 2003 - 22:48:31 PDT