SUMMARY: in.named dumping core

From: Joel Turoff (
Date: Wed Jun 03 1998 - 11:04:34 CDT


Special thanks to Jeff Wasilko, who spent a lot of time going back and
forth in email to help me troubleshoot this problem.

Thanks also to the following for taking time to respond to my post (sorry
if I forgot anyone): Elizabeth Mattij, Joachim Ber, Derek Terveer, Don
Elrod, Michael Baumann, Scott D. Yelich, Joe Pruett, Rahul Roy, Tim
Carlson, Michael Kriss, Brian Platt, Mark Bergman, Franciso Javier, Bob
Hayes, Gerald Combs, Robert G. Ferrel, Ian Kozak, Robin Brow, Matthew
Porter, Karl Vogel, Matt Massie, Jeff Graham. Thanks also to the
mysterious masked sysadmin who asked not to be named.


in.named is mysteriously dying and dumping core on a Solaris box running


There are two possible causes here. One is a bug in in.named that is fixed
by the patch 103663-12. I've obtained and installed the patch.

The second possible cause is a recent exploit described in CERT advisories
98-04 and 98-05, which are available from Check out as well.

Seems like a remote user can crash in.named, causing it to dump core. Jeff
pointed out that you can check your system by examining the core dump:

strings core | grep xterm
strings core | grep -i display

If you get any output, it is likely that someone tried the exploit on your
system. If so, you can determine the originating IP address with:

strings core | grep :0


Upgrade to BIND 4.9.7 or BIND 8.1.2. Or, wait for the patch from SUN.


Several folks sent very helpful scripts that can be run from cron and can
test to see whether in.named is running (restarting it if necessary and
alerting the sysadmin). Please note, these do not address the
vulnerability described in the CERT advisories referenced above, they are
scripts to keep in.named running in case someone crashes it (many asked me
to post the scripts):

I'm using this one from Bob Hayes - Works great!

XXNAME="`ps -fe |grep in.named|grep -v grep`"
## echo $XXNAME
if [ -z "$XXNAME" ]
        /usr/sbin/in.named &
# echo "I gotta start named!"
        echo "Started Named" |mailx -s "NAMED RESTARTED" root
# echo "Named checked" | mailx -s "NameD OK" root

>From Francisco Arias:

ps -e | grep named | grep -v grep >> /dev/null
if [ $? -ne 0 ]

>From Robert Ferrill:


ps -ef | grep named | grep -v grep > /dev/null
if [ "$?" = 0 ]; then
  echo your message | mailx -s "named restarted" root

>From Matt Massie:



/bin/ps -e | /bin/grep -w $DAEMON > /dev/null

if [ $? != 0 ] ; then
echo "The $DAEMON daemon is NOT running!"
echo "Restarting the daemon with command:"
/bin/rm -f /etc/namedb/core

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:41 CDT