RE: BIND Crash

["Lee Evans" <lee () leeevans org>]

Count me in - I've had this on one of my bind servers today as well.
It's crashed 3 times since 4pm BST - same error (again, almost -
different number after resp.c).

Likewise, I havent found any files in the /tmp folder that are unusual
(or, indeed, anywhere else on the system with the string mentioned).

I've setup a couple of fairly simple things on the system, to hopefully
capture the traffic/source of the packets which may be causing the
crash. Whether they work remains to be seen... :)

Likewise, further reports if any more information turns up.

Regards
Lee
-- 
Lee Evans

> -----Original Message-----
> From: Mark Ng [mailto:laptopalias1-mark () informationintelligence net] 
> Sent: 15 May 2003 22:44
> To: Gaby Vanhegan; incidents () securityfocus com
> Subject: RE: BIND Crash
>
>
> I've seen this today too.  One of my clients DNS servers has 
> crashed twice in the same day, both times with the same 
> message (or very similar)
>
> May 14 21:19:19 bilbo2 named[9491]: ns_resp.c:3946: ENSURE(cp 
> <= eom_out) failed.
>
> I've not seen the file in /tmp on this machine however.  I'm 
> looking to see if there have been any similar problems on any 
> of their other machines.
>
> Will report if I see anything else.
>
> -----Original Message-----
> From: Gaby Vanhegan [mailto:gaby.vanhegan () englandagency com]
> Sent: 15 May 2003 09:05
> To: incidents () securityfocus com
> Subject: BIND Crash
>
>
> Odd one this:
>
> I have three servers running BIND 8.3.  All of the bind 
> processes crashed at around the same time with this message 
> in  /var/log/messages and
> /var/log/warn:
>
> May 14 15:15:58 swallow named[395]: ns_resp.c:3924: ENSURE(cp 
> <= eom_out) failed. May 14 15:15:58 swallow named[395]: 
> ns_resp.c:3924: ENSURE(cp <= eom_out) failed.
>
> I got the same message on each machine at around the same 
> time (within 10
> mins) which suggests an address scan of some sort on port 53. 
>  Each of the machines had a file in /tmp with some code in:
>
> a|O:1:"a":1:{s:4:"test";s:5:"hallo";}b|O:1:"b":1:{s:1:"a";R:1;}
>
> Which looks pretty much like something I don't want on any of 
> my machines. Has anyone experienced anything similar?  There 
> is nothing about this on CERT or SecurityFocus, but I'm still 
> looking.  It basically shut down our DNS service, but didn't 
> seem to get much farther.
>
> I've increased the logging level so I can find out what's 
> going on if and when it happens again.  Has anyone had 
> anything similar?
>
>
>
>
> --------------------------------------------------------------
> --------------
> *** Wireless LAN Policies for Security & Management - NEW 
> White Paper *** Just like wired networks, wireless LANs 
> require network security policies 
> that are enforced to protect WLANs from known vulnerabilities 
> and threats. 
> Learn to design, implement and enforce WLAN security policies 
> to lockdown enterprise WLANs.
>
> To get your FREE white paper visit us at:    
> http://www.securityfocus.com/AirDefense-incidents
> --------------------------------------------------------------
> --------------


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------