[Dshield] BIND 9.2.2 croaking...

Johannes Ullrich jullrich at euclidian.com
Wed Sep 10 01:38:16 GMT 2003


sounds suspicous. Anything in your logs that could help? Is this a very
busy server? If you can, setup a tcpdump listener to record all the
traffic to the machine and next time it crashes, check the recorded
traffic for abnormalities around the crash time.

Keep the tcpdump filter as general as possible (do not limit it to port
53. If you have enough storage space, don't even limit it to the dns
server. Make sure to set the 'snaplength' large enough)


On Tue, 2003-09-09 at 21:29, Jon R. Kibler wrote:
> Greetings:
> 
> Is anyone else having BIND 9.2.2 randomly croaking for no apparent reason? Where it looks just like you did an 'rndc stop', but didn't?
> 
> We have no signs the system has been compromised, except that BIND has started randomly shutting itself down. We have run extensive hardware diagnostics and see no problems there.
> 
> This is a Solaris 9 box, running with latest patches. BIND runs as a non-root user in its own CHROOT-ed directory.
> 
> Anyone know of a network exploit that could crash BIND in the manner described?
> 
> Any other thoughts?
> 
> As usual, thanks!
> 
> Jon R. Kibler
> A.S.E.T., Inc.
> Charleston, SC  USA
> 
> 
> 
> 
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
> 
> 
> ______________________________________________________________________
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list