Welcome to the MacNN Forums.

Gavin · Mar 23, 2001, 08:41 PM

There is a rare and deadly virus now hitting Linux boxes that could also hit other Unix types. it attacks the BIND DNS server. http://www.sans.org

"..the final stable release of BIND 8.2.3 is believed to be not
succeptable to the worm's attacks."

What version do we have? I don't want to get hit with something this nasty right out the door.

For non-unix people:
There is no reason to panic. This stuff is NOT running on OSX unless you go out of your way to turn it on.

Mar 24, 2001, 01:05 AM

named 8.2.3-REL

Scott_H · Mar 24, 2001, 03:24 AM

If it's for X86 Linux then it can't run on OS X.

dogzilla · Mar 24, 2001, 04:47 PM

Originally posted by Scott_H:
If it's for X86 Linux then it can't run on OS X.

I don't know if it's safe to ignore this. I don't think many of these worms are processor-specific. After reading the info on the lion worm (http://www.sans.org/y2k/lion.htm), it appears to access vulnerabilities in systems that may be available in BSD systems as well. I haven't heard anything specific about how this worm affects BSD systems, but the description seems to focus on vulnerabilities in GNU apps, of which MacOSX has plenty.

Can anyone with more Unix experience confirm/deny that this can affect MacOSX or Free/Net/OpenBSD systems?

Mar 24, 2001, 05:28 PM

I'd have to agree witht dogzilla. Once an exploit like BIND is known, it's a simple matter to gain access to the root shell. There are already PPC binaries that will do this.

So, given the BIND exploit, substitution of a little x86 code with the known PPC code, a cracker can easily gain access to the root shell. This would easily become a OS X "root-kit" that crackers will happily exchange amongst themselves.

Of course, OS X doesn't ship with the root account enabled. But probably anyone running DNS off OS X would enable root to get admin work done.

Gavin · Mar 24, 2001, 06:27 PM

I got X today and checked it out.

There is no BIND included so this is not a problem for us at all.

they gave us 'named' instead.

the security updates on linux are a pain and you can get outdated and out of synch. Let's hope the System Software Updater can keep us ahead of the curve. We should have all the latest Darwin updates, bug fixes and security tweaks, the day they come out - automatically.

We probably ought to let this thread die so we don't scare anybody.

Mar 24, 2001, 07:47 PM

named = BIND

justinkim · Mar 24, 2001, 10:32 PM

Is bind/named even turned on by default on 1.0? I don't see it running.

Mar 24, 2001, 11:40 PM

Is bind/named even turned on by default on 1.0? I don't see it running.

No, as the original post said

For non-unix people: There is no reason to panic. This stuff is NOT running on OSX unless you go out of your way to turn it on.

And even if it were, the release included is

named 8.2.3-REL

so what is important to remember is that

"..the final stable release of BIND 8.2.3 is believed to be not succeptable to the worm's attacks."

And there is no need to be concerned at all.
Quod Erat Demonstratum

iYeat · Mar 26, 2001, 03:52 AM

So it's not turned on by default...

is there any way to make it automatically turn on on startup?

Caio

------------------

Gavin · Mar 26, 2001, 09:27 AM

is there any way to make it automatically turn on on startup?

Add a folder for it in /system/library/startupitems/

Look around in there, you'll get the idea. I did this for MySQl by copying the Apache folder then changing the names.

To make it work add a line for it with -YES- in /etc/hostconfig

Gavin · Mar 26, 2001, 09:33 AM

Me: There is no BIND included so this is not a problem for us at all.
they gave us 'named' instead.

Albert: named = BIND

Doh!

I thought they were two divergent branches of the same tree.