As of 4 something p.m. Feb 14 and ongoing as I type this, my little website is down.

So I pinged the domain and no information came back. Bad sign.

My host has one of those online help desks, so I created an account, logged into it and found, among other things, this news:


2/14 4:55 PM, Blahblahserver going down temporarily: Blahblahserver is going down in an emergency situation. If your site is on this server, your files are backed up with current copies of all of your files. We have to clean this server after a recent hack by an assailant who is using this server to attempt to gain access to other web servers. We apologize for this inconvenience and we will have you online as soon as possible.


And then this...


2/15/2001 1:25 am ET: There will be another period of downtime as we clean the blahblahserver box this morning. We will work as quickly as possible to restore normal service on this web server. We believe this hack was due to the well known 'Linux Bind' exploit that was identified in early January. Linux put out a patch for this exploit just a couple of weeks ago, and Cobalt Networks provided their patch about 1 week ago. We have installed this patch on all of our web servers. It is being reported that many companies are experiencing alarming levels of hack attempts due to this 'Bind' exploit. We have added additonal security measures recently and will be adding further security measures in the future to help prevent such attacks.


(Server's name isn't actually Blahblahserver, but it might as well be)

My question to the hosts on the board: have any of you had problems due to this (misnamed?) hack, this Linux Bind exploit? In the words of the great Dave Barry, are they making this up?

Your hosts are just idiots. That BIND exploit is over a month old and everybody knew about it. There was a trojan jumping box to box rooting servers with this exploit so it was very widespread but easy to fix. I say leave them because if they don't read BugTraq everyday then they are worthless sysadmins :).


James R. Clark II
Nethosters Inc.
http://www.nethosters.com

I would believe them.

Several reputable (and large) hosting companies have reported numerous problems with servers on their networks being used for DoS attacks after access was gained through the known Bind exploit. It is strongly advised that if you are running a version of Bind less than 8.2.3 you upgrade it immediately.

I just edited my online trouble ticket w/the host, asking what version of Bind they're using and requesting a financial credit to my account. I remember reading something about Bind on cnet last month, but I didn't pay enough attention to it. I guess I just ass*u*me*d hosts would automatically take care of it.

Thanks for the input.

As James pointed out... They should have.

Fact is I wouldnt be so hard on your hosts, in fact im rather suprised they were so honest and kept you well informed most hosts wouldnt have even told you their box's were hacked, and it sounds like they did a good job of keeping everything backed up another thing most hosts dont do, FACT IS that there is a million and one ways to hack into somebodys box, and if they have a lot of servers it is very hard to stay on top of fixes as many are released every day. I would have to say thumbs up to the host on how they handled the situation thus far.

Perhaps nethoster you shouldnt be so hard, almost any server is compromisable with enough time and effort..

We had some difficulties with an intruder in a Linux server two weeks ago. The attack either got in through Bind or Sendmail (we were running the versions that came with the OS). From a web host's perspective, it is so much easier to leave something alone once it is working and just hope no one will target your system. Software upgrades can go wrong and customers do not want any downtime.

We have since upgraded Bind and replaced Sendmail with QMail, but I know the logic that can prevent one from patching potential holes. In the long run it is better to keep on top of software updates and try to keep ahead of possible security exploits.

Best regards,
Frank Rietta

Let me guess... it's a cobalt Raq, right?

One of the provisions of the cobalt warranty states that if you apply any unauthorized patches, your warranty is gone.

Which means that when a redhat exploit appears you're not allowed to patch it with the publicly available patches until two months later when cobalt decides to release their own "authorized" patch.

Personally, I'd suggest that you find a different host. Cobalt raqs are very expensive considering the hardware they are built from, and their only benefit is a UI which makes it possible for people to manage servers who really shouldn't be allowed anywhere near a root password.

You shouldn't have to guess:
Originally posted by Drivingmiss
...and Cobalt Networks provided...
Aside from that, this wasn't limited to Cobalt servers and I am certain there are plenty of machines (RaQ and non-RaQ) running right now with the old version.

At least you now know you're on a server that has been updated, but as someone said, there's more than one way to crack a box...

I heard about this too..apparently a lot of servers and companies got hit by this.

One thing that does tend to happen when a bug is listed..all the script kiddies learn about it and then go out and try to find servers that haven't been updated with the fix...which is a great majority of them, and use a known exploit to impress themselves. I guess they are fooling themselves, telling themselves they are a great hacker..using someone else's hack.

Idiots!

Originally posted by Drivingmiss
I just edited my online trouble ticket w/the host, asking what version of Bind they're using and requesting a financial credit to my account.


If you have access to dig (if your account has shell access you should), you can find this information out yourself:

dig @nameserver.of.your.isp version.bind chaos txt

So, if you do this to our servers you get the following:

[allan web]$ dig @ns1.version12.net version.bind chaos txt

; <<>> DiG 8.2 <<>> @ns1.version12.net version.bind chaos txt
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; version.bind, type = TXT, class = CHAOS

;; ANSWER SECTION:
VERSION.BIND. 0S CHAOS TXT "8.2.3-REL"

;; Total query time: 27 msec
;; FROM: cyndilauper.version12.net to SERVER: ns1.version12.net 63.80.246.7
;; WHEN: Thu Mar 1 12:46:55 2001
;; MSG SIZE sent: 30 rcvd: 64


ie: we are running version 8.2.3

allan

Thanks for the tip, Allan!

Everything is again right with my site, thanks to me actually calling them and not waiting for them to answer my "online trouble tickets". Bah - online trouble tickets - bah! There was a problem with the file permissions, but after I called them again they reset the permissions. And they are giving me a free month after I asked them about getting some credit.

I still have a backup host in mind, just in case.

Allen, that was a cool tip - thanks! Found out that I also have BIND 8.2.3 -- and now I'm wondering -- is this the updated/patched version?

BIND - Berkley Internet Naming ?
(who can help me out here) :)


Drivingmiss, from the information you've provided - I would say you've got a Hoster who works on an honest & upfront basis. Best way I know of, to do business.

Have a look at

http://www.isc.org/products/BIND/bind-security.html

It lists all the version that can be cracked.


The main site is
http://www.isc.org/products/BIND/

Originally posted by Website Rob
Allen, that was a cool tip - thanks! Found out that I also have BIND 8.2.3 -- and now I'm wondering -- is this the updated/patched version?


8.2.3 is latest patch release of the 8.0 version of BIND, in other words the most secure. There are also 4.0 and 9.0 versions of BIND.

BIND = Berkeley Internet Name Domain

So, you were close :)

Excellent link G - thanks. I was close - on the BIND acronym. ;)

Don't you hate that, when somebody posts while you're putting your post together. Oh well... :emlaugh:
Thanks for your input as well Allan. :agree:



[Edited by Website Rob on 03-02-2001 at 06:36 AM]

Nice tip allan! :)

I've noticed that cpanel updates now perform an update on all server software. It's nice to know that every night these apps are updated. I just hope the cpanel team is on top of the latest bugs/security holes.