Sorry, I didn't actually catch the bind version but I am pretty sure it was 4.9.3 (un-patched).
There was no evidence of access attempts in the logs (syslog or fw.log) neither was there a bind reset, (it started generating errors about addresses it couldn't resolve at about midnight, this was a symptom of the scrambled tables, and gives an indication of when things happened) the bind daemon itself was still running.
Neither telnetd nor ftpd were enabled, and access to the ports was specifically blocked by firewall rules. The only active service ports were DNS and SMTP, sendmail was version 8.6.
I don't think the problem was filesystem corruption, although this is a possibility. The fact that every db.xxx file was trashed seems beyond coincidence. There were no other corruptions that were apparent.
I should have kept the files... (but didn't) DOH!
----------
From: Paul D. Robertson[SMTP:proberts @
clark .
net]
Sent: Tuesday, 13 August 1996 7:00
To: Guy Jones
Subject: Re: DNS attack symptoms?
On Tue, 13 Aug 1996, Guy Jones wrote:
> My client had scrambled entries in their DNS tables (eg. the /var/named/db.XXX files looked like binaries when viewed thru vi). Is this a symptom of a DNS attack? It certainly works as denial of service method.
> They are running Solaris 2.5 on a Netra (3.0), with firewall-1 2.0b. They had not applied the latest Solaris security patches.
> They were/are being pestered by a local nuisance, I just want to know whether the two issues are related (as I suspect).
What version of Bind? What FTP, telnet, etc. access were in the logs?
Was a named restart in syslog? Have they fsck'ed the filesystem, to
ensure it wasn't just Solaris corruption?
Did you save the files?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
|
|
