[ On Friday, October 25, 2002 at 16:21:17 (+0000), Charles Shannon Hendrix wrote: ]
> Subject: Re: sun4c vs 1.6
>
> I never thought about it being intrusiion attempts.  Could be, though I 
> think at least some of it was just bugs outside of that.  It would be 
> interested to check some security logs on a machine where it's failing 
> to see what kind of activity triggered the crash.

There might not be any other suspicious activity.  Such intrusion
attempts could just be "scans" from automated exploit tools.  Some such
tools are getting smart enough not to let out a huge barrage of exploit
attempts against a machine or network and instead to spread them out
over a much longer time so that they don't look so suspicious.  I don't
yet have any experience with such tools vs. the named bugs, but it seems
sensible to extrapolate from other active exploit attempts.

Then again if it is on a software-only cache flush CPU it might just be
due to normal cache corruption.  Such problems exist prior to 1.6 --
they're just a lot harder to trigger.  Back with 1.3 on my SS1 the
Xserver died every week or so instead of twice a day or so with 1.5W and
1.6-BETA.

My 8.3.3 named also dies occasionally on 1.3.2 on an SS2.  I've no idea
what the problem could be -- on that system named can't dump a core
because the kernel thinks it was set-id (I use '-u dns' to have it drop
privs and that prevents the core dump).

However on that same machine my mailer has recently started dying in the
resolver code -- and I have not yet patched the resolver bugs (does
anyone have a working 1.3.x NetBSD/sparc exploit?  :-).  That's what
really makes me think there may be some more common and wide-spread
attempts to exploit recently revealed BIND and resolver bugs.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>