BIND Crash

From: Gaby Vanhegan (gaby.vanheganat_private)
Date: Thu May 15 2003 - 01:05:27 PDT

Next message: Anders Reed Mohn: "Somewhat OT: DNS poisoning to Korean address"

Previous message: Andrew Simmons: "Re: UDP/137 scans -- new worm?"
Next in thread: Mark Ng: "RE: BIND Crash"
Reply: Mark Ng: "RE: BIND Crash"
Reply: Dimitry: "Re: BIND Crash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Odd one this:

I have three servers running BIND 8.3. All of the bind processes crashed at
around the same time with this message in /var/log/messages and
/var/log/warn:

May 14 15:15:58 swallow named[395]: ns_resp.c:3924: ENSURE(cp <= eom_out)
failed.
May 14 15:15:58 swallow named[395]: ns_resp.c:3924: ENSURE(cp <= eom_out)
failed.

I got the same message on each machine at around the same time (within 10
mins) which suggests an address scan of some sort on port 53. Each of the
machines had a file in /tmp with some code in:

a|O:1:"a":1:{s:4:"test";s:5:"hallo";}b|O:1:"b":1:{s:1:"a";R:1;}

Which looks pretty much like something I don't want on any of my machines.
Has anyone experienced anything similar? There is nothing about this on
CERT or SecurityFocus, but I'm still looking. It basically shut down our
DNS service, but didn't seem to get much farther.

I've increased the logging level so I can find out what's going on if and
when it happens again. Has anyone had anything similar?

Gaby

--
GABY VANHEGAN, Web Developer
gaby.vanheganat_private

an agency called england
marshall mill. marshall street. leeds LS11 9YJ
t.0113 234 5600 f.0113 234 5601
http://www.englandagency.com/

This e-mail contains information that is confidential and may be
Legally privileged. If this e-mail has been addressed to you in
error and you are not the person intended or authorised to receive
it or a copy of it, please notify the sender as soon as possible.

----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------

Next message: Anders Reed Mohn: "Somewhat OT: DNS poisoning to Korean address"
Previous message: Andrew Simmons: "Re: UDP/137 scans -- new worm?"
Next in thread: Mark Ng: "RE: BIND Crash"
Reply: Mark Ng: "RE: BIND Crash"
Reply: Dimitry: "Re: BIND Crash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 16 2003 - 03:38:39 PDT