[lug] CHAOS

Nate Duehr nate at natetech.com
Wed Feb 28 02:42:24 MST 2001


Hopefully this makes it to the list... I know another install of
Netscape I had earlier had "issues" with Mailman... apologies Wayde if
this Netscape machine (freshly loaded) hasn't been cleaned up yet and
you have to approve the posting.

CHAOS class queries are usually someone looking for the Version of BIND
you are running.  

Recent remote root vulnerabilities have been found in ALL versions of
BIND prior to 8.2.3 including all of the completely outdated (but people
are STILL running them?!  WHY?!?!) BIND 4.X versions.

You can control what's handed out for a Version query in BIND 8.x by
editing the global configuration variable "version" in your named.conf
file.

In the section with global options, add something like:

version { "Silly ScriptKiddie Go Away"; };

Or more sedately, and the one I use:

version { "Not available"; };

This by no means is any form of real security, but why make it easier
for someone to find out?  :-(

There's a ton of documentation on this in the ISC's documentation on
BIND at www.isc.org, and of course, the definitive book is DNS & BIND by
Abritz and Liu.  Cricket Liu is a great guy and frequents the bind-isc
mailing lists (gated over to Usenet, which makes it high volume and low
quality, but I digress...) and announced recently that pre-orders are
being taken by O'Riley & Assoc. for his 4th Edition of DNS & BIND.

Back to the recent exploits, one of the rootkits being used heavily
looks for BIND 8.2.2 and lower and exploits it on Linux little-endian
machines.  Then it patches the binary to answer that it's BIND 8.2.3
when asked on the network, but it will return a correct result of
8.2.2p7 or whatever you have if you invoke the version request from the
command-line.  

Then of course, once it has root access, they can pretty much do
whatever they want until you catch them.  And then you'd better have
copies of your binaries (or install media...).


Nate, nate at natetech.com


charles at lunarmedia.net wrote:
> 
> guys-
> i've got a guy doing lookups on my nameserver with class=CHAOS and
> type=TXT. i think there is an exploit where if you do a lookup on "bind"
> or something like that it returns the version of bind you're running.
> 
> i have a timestamp for when the guy is trying the query, any suggestions
> on how i can grab his ip addr?
> 
> thanks -cjm
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list