Greetings!
Special thanks to Jeff Wasilko, who spent a lot of time going back and
forth in email to help me troubleshoot this problem.
Thanks also to the following for taking time to respond to my post (sorry
if I forgot anyone): Elizabeth Mattij, Joachim Ber, Derek Terveer, Don
Elrod, Michael Baumann, Scott D. Yelich, Joe Pruett, Rahul Roy, Tim
Carlson, Michael Kriss, Brian Platt, Mark Bergman, Franciso Javier, Bob
Hayes, Gerald Combs, Robert G. Ferrel, Ian Kozak, Robin Brow, Matthew
Porter, Karl Vogel, Matt Massie, Jeff Graham. Thanks also to the
mysterious masked sysadmin who asked not to be named.
ORIGINAL QUESTION:
in.named is mysteriously dying and dumping core on a Solaris box running
2.5.1.
ANSWERS:
There are two possible causes here. One is a bug in in.named that is fixed
by the patch 103663-12. I've obtained and installed the patch.
The second possible cause is a recent exploit described in CERT advisories
98-04 and 98-05, which are available from
ftp://ftp.cert.org/pub/cert_summaries. Check out
http://www.cert.org/advisories/CA-98.05.bind_problems.html as well.
Seems like a remote user can crash in.named, causing it to dump core. Jeff
pointed out that you can check your system by examining the core dump:
strings core | grep xterm
strings core | grep -i display
If you get any output, it is likely that someone tried the exploit on your
system. If so, you can determine the originating IP address with:
strings core | grep :0
FIX:
Upgrade to BIND 4.9.7 or BIND 8.1.2. Or, wait for the patch from SUN.
TEMPORARY WORKAROUND:
Several folks sent very helpful scripts that can be run from cron and can
test to see whether in.named is running (restarting it if necessary and
alerting the sysadmin). Please note, these do not address the
vulnerability described in the CERT advisories referenced above, they are
scripts to keep in.named running in case someone crashes it (many asked me
to post the scripts):
I'm using this one from Bob Hayes - Works great!
#!/bin/sh
XXNAME="`ps -fe |grep in.named|grep -v grep`"
## echo $XXNAME
if [ -z "$XXNAME" ]
then
/usr/sbin/in.named &
# echo "I gotta start named!"
echo "Started Named" |mailx -s "NAMED RESTARTED" root
#else
# echo "Named checked" | mailx -s "NameD OK" root
fi
>From Francisco Arias:
#!/usr/bin/ksh
ps -e | grep named | grep -v grep >> /dev/null
if [ $? -ne 0 ]
then
/usr/sbin/in.named
fi
>From Robert Ferrill:
#!/bin/sh
ps -ef | grep named | grep -v grep > /dev/null
if [ "$?" = 0 ]; then
/usr/sbin/named
echo your message | mailx -s "named restarted" root
fi
>From Matt Massie:
#!/bin/sh
DAEMON="in.named"
COMMAND="/usr/sbin/in.named"
/bin/ps -e | /bin/grep -w $DAEMON > /dev/null
if [ $? != 0 ] ; then
echo "The $DAEMON daemon is NOT running!"
echo "Restarting the daemon with command:"
echo $COMMAND
$COMMAND
/bin/rm -f /etc/namedb/core
fi
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:41 CDT