On Thu, Apr 05, 2001 at 05:16:16PM -0500, Y2KNET wrote: > Our server which is debian 2.2.r2 and running > bind 8.2.3 has been hacked from this address > 132.163.135.130
Is the server running any other services? Is it firewall protected? What evidence do you have that the attack came from that IP address and the address wasn't spoofed? What evidence do you have that the BIND daemon is the source of the success of the attacker? Are you regularly updating all installed services with an APT source line pointing to security.debian.org? If not, how did you confirm you are running BIND 8.2.3-REL? [1] Please consider providing more information both to Debian and to the upstream BIND authors if you truly believe BIND is the exploited service. If you believe you have evidence that another BIND exploit is "in the wild", have you contacted Nominum or the good folks at isc.org with the information? Frankly while BIND has been a source of problems for a long time, I don't have any reason from this posting to believe you that BIND was the reason your machine was successfully broken-into. This announcement is enough to pique our interest, but not enough to help you fix whatever problem you may have encountered. [2] [1] Two of the common BIND 8.2.2 exploits also attempt to change the version number that BIND reports if you do an "ndc status" command. Are you SURE you were running 8.2.3-REL? [2] I speak from the community at large, not as a Debian representative here... but I'm sure that the BIND maintainer would appreciate any solid evidence you have that BIND has a problem. -- Nate Duehr <[EMAIL PROTECTED]> GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2 Public Key available upon request, or at wwwkeys.pgp.net and others.
