Date: Tue, 25 Aug 1998 08:42:52 +0200 (MEST)
From: (Rogier Wolff) <R.E.Wolff@BitWizard.nl>
To: linux-security@redhat.com, root@bull.bullnet.co.uk
Subject: [linux-security] Named Overflow Concern - SUMMARY (fwd)
George Brown sent this to my private Email address instead of to the
list. Because I forwarded it, my addres is in the header.
Roger.
----- Forwarded message from root -----
>>From root@bull.bullnet.co.uk Mon Aug 24 16:20:29 1998
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
for <wolff@localhost> (single-drop); Mon Aug 24 16:20:26 1998
Return-Path: <root@bull.bullnet.co.uk>
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id QAA15304
for <wolff@dutepp0.et.tudelft.nl>; Mon, 24 Aug 1998 16:17:59 +0200 (MET DST)
Received: from bull.bullnet.co.uk (www.bullnet.co.uk [194.242.135.145]) by ferryman.ocn.nl (8.6.13/8.6.9) with ESMTP id QAA05741 for <R.E.Wolff@BitWizard.nl>; Mon, 24 Aug 1998 16:04:40 +0200
Received: (from root@localhost)
by bull.bullnet.co.uk (8.8.5/8.8.5) id PAA08035
for R.E.Wolff@BitWizard.nl; Mon, 24 Aug 1998 15:16:03 +0100
Date: Mon, 24 Aug 1998 15:16:03 +0100
From: root <root@bull.bullnet.co.uk>
Message-Id: <199808241416.PAA08035@bull.bullnet.co.uk>
To: R.E.Wolff@BitWizard.nl
Subject: Named Overflow Concern - SUMMARY
Thanks for all the responses.
I have tried to summarise suggestions and other comments as this may
be of help/interest to others.
NB. Submitting and email to this group with your domain name is a bit
like putting out the honeypot and asking the bears round for tea.
Unfortunately some suggestions, such as upgrading the OS are currently
impractical for me as time does not permit.
I am effectively a one man band working with a friend who has a very
small company. As such my tasks include network admin, web server admin,
setting up dns, web design, datbase admin, cgi programming etc. etc.
(And sadly all for no money at the present ;).
The whole extra bit of defense is an unwelcome diversion, though if
time permitted I might enjoy it but with so many tasks already this
I can do without.
Summary
=======
1. Summary of my configuration.
2. References
3. Brief Summary of advice.
4. List of ip addresses who tried my system out.
5. Detailed Summary of advice.
My Configuration
================
Redhat 4.2 with latest RPM's of all important packages.
telnetd,ftpd resticted to named users in hosts.allow
ipopd on for all
samba and portmap only for specific users
All tcp connections use wrappers.
Logs are monitored automatically for unauthorised connections on a regular
basis.
All important files are checked automatically for dates and size changes.
References
==========
ciac.llnl.gov/ciac/bulletins/i-073.shtml
www.cert.org
www.shopthenet.net/redhat-security/index.html
www.geek-girl.com/bugtraq
Brief Summary of Advice and Comments
OS. Upgrade to 5.1 plus all latest errata or Slackware.
bind. Varied advice
4.9.7-0 Some say ok some not
4.9.7-1 Suggested but this is not on Redhat Site
4.9.7-2 This is a debian release
8.1.2 I don't know if this will run with Redhat 4.2
tcpwrappers
Use and monitor logs.
imapd
Turn it off if possible. I have
Use SAINT,SATN,CRACK, MSCAN to check your system
Monitor security sites.
Use Tripwire or something similar.
List of IP's
============
Most of these tried after my email and mostly were minor attempts.
One tried overflowing the the buffers in imapd and two tried connecting to
samba. The logs say unsuccessful but who can believe logs.
128.193.96.191
130.230.56.11
131.246.178.43
140.142.110.13
193.170.236.90
195.166.144.226 named overflow attempt and samba
226.hiperforce.shef.dialup.force9.net
203.101.255.3
206.242.12.66 samba
208.134.79.43
208.255.237.25
212.210.161.130
Detailed Summary of Advice and Comments
>>From Samuel Brown
-----------------
>a. upgrade to the latest (5.1) version of your distribution--the security
>holes in old distributions are common knowledge to hackers on the net, and
>vendors/distributors stop fixing them once the new distribution is out.
>
>b. install all of the updates from errata; many of them fix security holes.
>
> use tcpwrappers and check the logs regularly.
> I use tcpwrappers and find them very useful
>
> run SATAN and CRACK against your system.
Where are these available.
> turn off all un-needed services, and even debate whether you need the ones
> you think you need.
> I recommend this as well.
>>From Dan Grosscott
------------------
> You should upgrade to bind 8.1.2 and any further patches also available.
> Bind version 8.1.2 is available from
> ftp://ftp.isc.org/isc/bind/src/8.1.2/bind-8.1.2-src.tar.gz.
? Will this run with Redhat 4.2
>I am not sure about imap, I don't know it mainly because its buggy. Try
>hitting up redhat's ftp site and upgrade to any new imap rpm's out there.
>I got hacked running bind 4.9.7 a while ago, and since 8.1.2, i've been
>secure again.
>Greg Alexander
>If someone says differently, listen to them, as I haven't actually
>investigated. But debian, at least, released a bind-4_9_7-2 to fix the
>security problems, so I suspect that a -0 original bind 4.9.7 package will
>not be fixed. I don't know jack about imapd.
J. Finnegan, USC.
-----------------
>recommends that once you've been hacked, you do a total reinstallation of the
>OS. Then go find information about running your nameserver.
I agree that this should be done if you are unsure about system integrity.
I managed to clean my system up ok without this (I think).
>>From Jon Lewis
>--------------
>mscan is probably just making guesses based on a few probes it does.
>4.9.7 should not be vulnerable. imap, I have no idea. If you don't
>actually use imap, disable it. In theory, if you have the latest version
>of all packages that Red Hat makes RPMs for (for a supported Red Hat
>release), then you don't have any holes that Red Hat and the general
>public know about.
Greg Alexander above thinks 4.9.7 is not secure. I've turned mine off.
>imap has developed a reputation for being full of overflows...and I
>currently will not run it. When I do, it will certainly be on a system
>with Solar Designer's secure-linux patch. Having that patch might have
>stopped you from getting hacked in the first place.
>www.false.com/security/
>>From David Lang
---------------
>bind current version is 8.1.2
>imap should be turned off if you don't use it. (I use it but with the
>cyrus mailserver which is a drastic change from the standard mail, but one
>I am happy with.
>Please report your attack at www.cert.org
>and upgrade immediately named to the one recommended by RedHat
>do the same with imapd. After that you should follow instructions
>as recommended by CERT.ORG.
>I do sympathize with you as a person that has had a recent such
>compromise via (supposedly named). What I did was to immediately
>check all binary and library files with a stock Linux system,
>and replace them (if you have to remain on the Internet for
>business reasons). After that it is recommended that you backup
>(compare if possible with known good backups) and non-system files
>and then re-install from the vendor media such as CD Rom disks.
>
>If you have a doubt - get your system OFF of the Internet and
>then work on it as you are able. Please consider the following:
>(in order)
>
>1.) www.cert.org
>2.) www.redhat.com (Red Hat: vendor help ET AL)
>3.) A security an experienced system adminintrator security professional
>4.) http://www.shopthenet.net/redhat-security/index.html
>(This page advises that it is no longer under development [which proves
>that Linux or any kind of security is an ongoing job] however I think
>that it is a good primer as well as subscribing to this linux-security
>bulletin and BugTraq as well)
5.) Upgrade periodically as security/vendor upgrades become known and
available.
Other basic security precautions such as limiting shell accounts and
using good passwords are obviously worth mention. Secure Shell only
access is highly recommended.
---
Alan Spicer (aspicer@ebiznet.com)
>>From seifried
-------------
I would highly recomend going to RedHat 5.1, with updates and kernel
2.0.35.
> Should I be concerned.
Yes and no. First off Bind 4.X is bad. upgrade to Bind 8.X, has a lot more
security features and is real easy (TM) to run as a non root user in a
chrooted environment:
http://redhat-security.seifried.org/section07/s07c05-dns.html
As for IMAP, firewall it off if at all possible, that version is supposed
to be safe (no nasty bugs found yet anyways) but you never know.
>>From jc.praud@ludexpress.com
----------------------------
>- our RH5.0 Bind 4 was hacked in may.
>- following many advisors, we are migrating all our servers to SlackWare
>
>The SlackWare distribution often remains behind, concerning versions
>numbers, to let more time to test the software.
>We had some stability problems with RedHat up-to-date versions.
>
>Under SlackWare, you have more control on what you want to install or
>not.
>
>In the future, we are planning to use RedHat servers only in Intranets,
>behind a firewall or a proxy, as an equivalent for NT solutions.
>
>Even if you go on with RedHat, you should upgrade to Bind 8. The RPM
>contains tools to convert your named.boot file to Bind 8's named.conf.
>Bind 8 offers more control and info.
>
>Anyway, the absolute security is in your backups, as always :o)
From: Justin Cormack <jpc1@doc.ic.ac.uk>
----------------------------------------
>I would still be concerned about named. The web site strongly recommends
>using the bind-8.x versions not 4.x. We had some hackers on our machines
>(which dont run bind; they appear to have used password sniffers) hacking
>into extremely large numbers of RH 5 and 5.1 name servers a few days ago.
>These people might not have updated to bind-4.9.7-1 of course.
>>From dps@io.stargate.co.uk
--------------------------
>This really depends on whether mscan is based on rules along the lines of "If
>linux and bind then security problem" or attempts to actively exercises the
>overflows. I guess you should try the exploit scripts or demos (see the bugtraq
>archives and rootshell.com, for example). IMAP 4.1 final has not been attacked
>successfully on bugtraq yet.
>All the name servers I have control over are ungraded to the latest version of
>bind version 8 (the change notification of the secondaries is a worthwhile
>feature and the ISC claim that bind v8 works better with lots of domians).
>We will do probably need some DNS Sec support time as ISPs so it seemed to be
>the way to go.
>There are a couple of rehdat 4.2+lots of changes boxen, one of which seesm to
>have hardware problem in the hard disc arena (this is the best explanation of
>its flakiness when the locate databse is updated, you try compiling something,
>etc and the 2/7/365 performance otherwise).
>>From gr1p@dns.defraz.org
------------------------
>After seeing your post to the Linux-Security Mailing List, I have seen
>something which I have seen time and time again in the last few months.
>The scanning tool, mscan, which is used to scan multiple hosts and
>complete subnets has given great power to the "ordinary joe" who may not
>necessarily have the complete knowledge of computer security that was
>needed in the past. They seem to be mainly scanning for Named/Imapd etc.
>
>Named is a very over-exploited vulnerability due to the fact that so many
>servers are actualy vulnerable to it when running RedHat Linux boxes and
>also due to the easyness of use, nothing complicated about its use..
>
>localhost:~# named 127.0.0.1
>robo - dns IQUERY remote buffer overflow for intel linux
>nimrood 5.16.98
>connecting...connected.
>testing for vulnerability...vulnerable.
>sending exploit code...1560 bytes sent.
>bash#
>
>And there you have it, a remote shell. It scares me that an exploit like
>this can give so much power to an average person who can just go to a
>hacking/security related website, download some source code and run it.
>The version of IMAPD you are running, imap-4.1.final-0, is currently a
>safe version, however there are always new exploits being coded and
>released which will eventually exploit this version.
>>From Adam.Morris@onyx.net
--------------------------
>I have just upgraded one of our two redhat boxes, and have bind-4_9_7-1
>on it... I think you should check the redhat errata.
Can't find it
>And as for imap... Do you use it? If not remove it. The same goes
>for all other extraneous services.
>Where did mscan come from? It sounds like the unknown hacker left it
>behind... I would suggest getting a known good version of something
>like that... I quite like SAINT myself...
>
>And your kernel version probably needs upgrading too... There are
>usually good reasons why there are new releases of the stable kernel...
>
>If you can afford to reinstall the system, I would, apply all the
>updates, and use tripwire or something similar on it.
----- End of forwarded message from root -----
--
| The secret of success is sincerity. Once you can | R.E.Wolff@BitWizard.nl
| fake that, you've got it made. -- Jean Giraudoux | T: +31-15-2137555
-We write Linux device drivers for any device you may have! Call for a quote-
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
