> Bind runs as root.
It doesn't have to. In fact, I just set up a RedHat 6.2 Honeypot
a couple of weeks ago researching Bind based worms that are becoming
a problem. Much to my surprise, that OOB RedHat 6.2 system ran bind
as "named -u named" and was running Bind under a common user id. RedHat
6.0 runs it as root and I haven't checked 6.1 yet. Don't know about the
other distros, yet.
> > We are unable to determine just how they got in exactly, but they
> > kept trying and created an oops in the affected code which allowed
> > the attack to proceed.
> Are you sure they didnt in fact simply screw up live patching the kernel to
> cover their traces
That would be a hint that they MIGHT have been trying to get a
Linux kernel stealth module going. Several of the worms I'm looking at
include the Adore LKM to hide processes, files, and sockets. That worm
(as several others like it) also upgrade the version of Bind they broke
in through to prevent further compromise. There will be a security
advisory out on these worms, probably later this week.
Mike
-- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/