Odd one this: I have three servers running BIND 8.3. All of the bind processes crashed at around the same time with this message in /var/log/messages and /var/log/warn: May 14 15:15:58 swallow named[395]: ns_resp.c:3924: ENSURE(cp <= eom_out) failed. May 14 15:15:58 swallow named[395]: ns_resp.c:3924: ENSURE(cp <= eom_out) failed. I got the same message on each machine at around the same time (within 10 mins) which suggests an address scan of some sort on port 53. Each of the machines had a file in /tmp with some code in: a|O:1:"a":1:{s:4:"test";s:5:"hallo";}b|O:1:"b":1:{s:1:"a";R:1;} Which looks pretty much like something I don't want on any of my machines. Has anyone experienced anything similar? There is nothing about this on CERT or SecurityFocus, but I'm still looking. It basically shut down our DNS service, but didn't seem to get much farther. I've increased the logging level so I can find out what's going on if and when it happens again. Has anyone had anything similar? Gaby -- GABY VANHEGAN, Web Developer gaby.vanheganat_private an agency called england marshall mill. marshall street. leeds LS11 9YJ t.0113 234 5600 f.0113 234 5601 http://www.englandagency.com/ This e-mail contains information that is confidential and may be Legally privileged. If this e-mail has been addressed to you in error and you are not the person intended or authorised to receive it or a copy of it, please notify the sender as soon as possible. ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 16 2003 - 03:38:39 PDT