what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CA-2000-05.dns

CA-2000-05.dns
Posted May 2, 2000
Site ciac.org

There are continuing compromises of machines running the Domain Name System (DNS) server software that is part of BIND ("named"), including compromises of machines that are not being used as DNS Servers.

SHA-256 | 963aadc711ddd0cc32b45275239100e6619d5dfd74f8b0a52fa29b8b8ef0e9d5

CA-2000-05.dns

Change Mirror Download

CIAC INFORMATION BULLETIN

K-036: Continuing Compromises of DNS Servers

April 28, 2000 17:00 GMT
_________________________________________________________________

PROBLEM: There are continuing compromises of machines running the Domain
Name System (DNS) server software that is part of BIND
("named"), including compromises of machines that are not being
used as DNS Servers.
PLATFORM: Systems running various vulnerable versions of BIND (including
on machines where the system administrator does not realize a
DNS server is running).
DAMAGE: Allows intruder to gain root access.
SOLUTION: Upgrade the vulnerable systems with their associated DNS
security patches and workarounds.
_________________________________________________________________

VULNERABILITY The risk is HIGH. The exploits have appeared in public forums.
ASSESSMENT:
_________________________________________________________________

[ Start CERT/CC Advisory ]

CERT(r) Advisory CA-2000-03 Continuing Compromises of DNS servers

Original release date: April 26, 2000
Last revised: April 26, 2000
Source: CERT/CC

Systems Affected

* Systems running various vulnerable versions of BIND (including on
machines where the system administrator does not realize a DNS
server is running)

Overview

This CERT Advisory addresses continuing compromises of machines
running the Domain Name System (DNS) server software that is part of
BIND ("named"), including compromises of machines that are not being
used as DNS Servers. The Advisory also reports that a significant
number of delegated(*) DNS servers in the in-addr.arpa tree are running
outdated versions of DNS software, and urges system and network
administrators to ensure that they are up-to-date with DNS security
patches and workarounds.
______________________________________________________________________

The CERT Coordination Center has received reports of continuing
activity indicating that intruders are targeting machines running
vulnerable versions of "named" . We continue to receive regular, daily
reports that sites running unpatched, vulnerable versions of "named"
have been compromised. CERT Advisory CA-99-14 "Multiple
Vulnerabilities in BIND" describes the BIND NXT record privileged
compromise vulnerability that is being exploited. We encourage you to
review this advisory and to apply the appropriate patches if you have
not done so already. The advisory is available at

http://www.cert.org/advisories/CA-99-14-bind.html

Some sites with compromised systems have found one of the following
empty directories on systems where the NXT record vulnerability was
successfully exploited:

/var/named/ADMROCKS
/var/named/O

Other artifacts that are commonly found include
* inetd started with an intruder-supplied configuration file in /tmp
that provides a backdoor into the system
* modified /etc/inittab and/or system startup files to load intruder
processes at boot time
* Trojan horse versions of sshd and /bin/login designed to provide a
backdoor into a compromised system
* complete rootkits that include Trojan horse replacements for
system binaries, sniffers, denial-of-service tools, vulnerability
scanners, exploits, etc.
* newer versions of BIND

Compromised systems are commonly used to search for and attack other
potentially vulnerable systems.

In many of the reports of DNS server compromises, compromised machines
running DNS server software were not being used as DNS servers. The
DNS server software was running because it was installed by default
(unknowingly in many cases) when the machines were configured. This
software was not up to date with security patches and workarounds; and
since the system administrators were not planning to have the machines
operate as DNS servers, they did not ensure the software was up to
date, or simply disable the DNS server software on the machine. We
encourage system and network administrators to disable DNS server
software, and other services, on machines where the services are not
needed.

We have also received information from Bill Manning of the USC/ISI
concerning DNS servers running vulnerable versions of domain name
server software. Since 1997, Bill Manning sweeps the inverse tree
(in-addr.arpa) on a quarterly basis to verify the accuracy of
delegations within that hierarchy. Using the first quarter survey
results, he compiled a list of what version of DNS server software
the servers were running. Of the responding DNS servers that are
delegated(*) DNS servers for the in-addr.arpa zone, more than 50%
of these DNS servers were running older, vulnerable versions of
BIND (any vulnerabilities, not just the NXT vulnerability). This is
significant because the compromise of DNS servers that are
delegated DNS servers can have impact on the security of other
organizations in addition to the organization operating the DNS
server.

A copy of the survey results are available at

http://www.isi.edu/~bmanning/in-addr-audit.html

Based on the number of older versions being run, and the rate of
compromises, we believe the number of DNS servers running older,
vulnerable versions of BIND have not significantly decreased since the
survey was published.

We encourage DNS server operators to ensure that their DNS server
software is up to date with the most recent versions of the DNS server
software and that all security patches and workarounds have been
applied.


delegated DNS server: a delegated DNS is a DNS server that is assigned
responsibility for responding to requests for a portion of the DNS
hierarchy. For more information on delegation, see the section on
delegation in DNS and BIND third edition, by Paul Albitz and Cricket
Liu, O'Reilly and Associates, 1998.


Advisory Author: Jeffrey J. Carpenter
_________________________________________________________________

The CERT Coordination Center thanks Bill Manning, USC/ISI, for
providing information used in this CERT Advisory.
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-2000-03.html
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site

http://www.cert.org/

To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.

Copyright 2000 Carnegie Mellon University.

[ End CERT/CC Advisory ]
_________________________________________________________________

CIAC wishes to acknowledge the contributions of CERT/CC for the
information contained in this bulletin.
_________________________________________________________________
_________________________________________________________________

For additional information or assistance, please contact CIAC:

Voice: +1 925-422-8193 (5:00 - 18:00 PST, 13:00 - 2:00 GMT)

Emergency (DOE, DOE Contractors, and NIH ONLY):
1-888-449-8369 (primary),
1-800-201-9288 (secondary)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
_________________________________________________________________

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
_________________________________________________________________

UCRL-MI-119788
[Disclaimer]
[Notice To Users]
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close