| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c2122821abc4d89254092500a8814215.squirrel@gameframe.net> Date: Sat, 29 Oct 2011 16:34:46 +0300 From: nix@...roxylists.com To: full-disclosure@...ts.grok.org.uk Subject: bind-9.8.1 remote code exec exploit? Hello list. I've source compile of BIND 9.8.1 on the server. I've been investigating weird iptables messages as follows: Oct 29 14:53:13 NIX kernel: IN= OUT=eth0 SRC=MY_SERVER_IP DST=62.80.128.29 LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=31795 PROTO=UDP SPT=53 DPT=5060 LEN=94 I received a message from my ISP abuse that my server is scanning SIP port 5060 and I set the firewall rule to deny/log all UDP connections out of the box to port 5060 to get timestamps for further investigation. This happened before I set the firewall rule. /var/log/named.log 05-Oct-2011 06:05:58.093 client: warning: client 81.25.53.2#5060: error sending response: host unreachable 07-Oct-2011 13:14:38.739 client: warning: client 221.210.153.6#5060: error sending response: host unreachable 08-Oct-2011 00:43:22.881 client: warning: client 212.59.18.8#5060: error sending response: host unreachable 08-Oct-2011 13:42:58.943 client: warning: client 202.43.160.50#5060: error sending response: host unreachable 12-Oct-2011 10:26:20.586 client: warning: client 213.77.43.115#5060: error sending response: host unreachable 14-Oct-2011 15:42:12.676 client: warning: client 193.210.19.19#5060: error sending response: host unreachable 15-Oct-2011 16:26:16.573 client: warning: client 202.44.204.36#5060: error sending response: host unreachable 16-Oct-2011 20:52:44.570 client: warning: client 200.63.56.5#5060: error sending response: host unreachable 17-Oct-2011 01:48:49.617 client: warning: client 84.22.23.4#5060: error sending response: host unreachable 23-Oct-2011 12:34:26.255 client: warning: client 208.69.35.15#5060: error sending response: host unreachable 25-Oct-2011 01:50:17.382 client: warning: client 84.88.226.10#5060: error sending response: host unreachable 25-Oct-2011 15:23:51.384 client: warning: client 195.222.32.20#5060: error sending response: host unreachable 29-Oct-2011 14:53:13.208 client: warning: client 62.80.128.29#5060: error sending response: host unreachable Timestamps matches exactly to kernel's firewall log. Every time BIND error log has the above entry, the box tries to scan for SIP port 5060. Is it possible to scan ports through BIND or exec code by sending a specially crafted request? PS. I have been tracking this issue for a week and no other timestamps matches exactly to this isssue. I have currently grsec' exec logging on and hoping this issue occurs soon so I can see will it execute extra code under the user 'bind'. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists