Recently there have been a pile of RH6.x boxen cracked by various, nefarious,
persons. The general concensus appears to be that Bind is the culprit so far as
the exploited weakness goes. I can't say for sure myself as I have not been
cracked though I do have some folks sniffing around port 1080 on my firewall
lately:
socks 1080/tcp # socks proxy server
socks 1080/udp # socks proxy server
Most recent snoop:
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jan 3 17:11:25 ns portsentry[545]: attackalert: Connect from
host: user-33qtnd1.dialup.mindspring.com/199.174.221.161 to TCP port: 1080
Jan 3 17:11:26 ns portsentry[545]: attackalert: Host 199.174.221.161 has been
blocked via wrappers with string: "ALL: 199.174.221.161"
Jan 3 17:11:26 ns portsentry[545]: attackalert: Host 199.174.221.161 has been
blocked via dropped route using command: "/sbin/ipchains -I
input -s 199.174.221.161 -j DENY -l"
Jan 3 17:11:26 ns portsentry[545]: attackalert: Connect from
host: user-33qtnd1.dialup.mindspring.com/199.174.221.161 to TCP port: 1080
Jan 3 17:11:26 ns portsentry[545]: attackalert: Host: 199.174.221.161 is
already blocked. Ignoring
I don't know what they're looking for... my guess is some Mickeysoft garbage
which I don't have but I don't know for sure.
In any event I have grabbed and built the latest src.rpm version of bind from
rawhide. There have been crack reports and discussions on several lists I'm on
where the general concensus is that you need to be at Patch Level 5 with bind
8.2.2 to prevent this from happening. The rawhide rpm is at patch level 5.
Anyway, I installed it this morning, have run it all day and it's stable as far
as I can tell so I consider it safe to use in spite of the fact that it comes
from rawhide which is supposed to be fairly bleeding edge. I have built this
rpm for i586 and i686 and cp'd the i386 rpm's as well as the src.rpm to
server.moongroup.com in /pub/bind-update so you can go get it via anonymous ftp
if you want it!
Keep up with the security releases if you aren't already (updates.redhat.com)!
It's important to your boxen's security and your ability to sleep peacefully at
night! <grin> Turn off all non-essential services in inetd and do not run
NFS/NIS unless the box it's running on is behind a secure firewall.
Also... If you are not already running portsentry do yourself a favor and go get
it! It may save your box some day!
It's available at: http://www.psionic.com/abacus/portsentry/
--
Chuck Mead, CTO, MoonGroup Consulting, Inc. <http://moongroup.com>
<[EMAIL PROTECTED]> Public key available at: wwwkeys.us.pgp.net
7:02pm up 2 days, 14:31, 1 user, load average: 0.17, 0.54, 0.68
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
