[CentOS] BInd Problem or Update SSL ?

Sat Feb 19 00:54:07 UTC 2011
Larry Vaden <vaden at texoma.net>

On Fri, Feb 18, 2011 at 4:37 PM, James Hogarth <james.hogarth at gmail.com> wrote:
>
> Your mentor? What do you mean by that?

The same thing Wikipedia says, namely:

a trusted friend, counselor or teacher, usually a more experienced
person. Some professions have "mentoring programs" in which newcomers
are paired with more experienced people, who advise them and serve as
examples as they advance.

Joe, Randy and James are my mentors of 15, 5 and 5 years,
respectively, and all said the same thing, namely "nuke and repave, be
sure to be current on BIND" since it is a purpose-built box (ns1).

Since others have asked for details, they are below the sig.

With 20/20 hindsight, it is clear that I shouldn't have posted the
original post asking the list for help and hopefully informing other
potential targets of the risk (read: there were no responses to the
original post, therefore it was posted to the wrong audience).

regards/ldv/vaden at texoma.net

There was no time for forensics at the time of the discovery; just
time to get advice and react.
What follows is from a few moments ago.

===details===
===box was last nuked and repaved Jul 28  2008
===much unnecessary software removed Jul 28 2008, 57 tasks active per
'ps auxw | wc -l'
===current nmap (same nmap results as on problem day)
Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 0.19 seconds
vaden at turtlehill:/opt$ nmap -A -PN ns1.texoma.net
Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST
Nmap scan report for ns1.texoma.net (209.151.96.2)
Host is up (0.0012s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE VERSION
53/tcp  open  domain
987/tcp open  ssh     OpenSSH 3.9p1 (protocol 2.0)
| ssh-hostkey: 1024 36:dc:c8:29:b1:d3:8a:b1:e6:cf:2b:4c:70:ed:c8:9a (DSA)
|_1024 10:f9:a6:d2:32:68:15:3a:9f:04:3a:89:05:1e:b8:52 (RSA)
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds
vaden at turtlehill:/opt$
===named.conf security in 2008
[root at ns1 data]# cat /var/named/chroot/etc/named.conf | more
###
#
#  attribution: By Rob Thomas, noc at cymru.com
#               <http://www.cymru.com/Documents/secure-bind-template.html>
#  -and-
#
<http://www.knowplace.org/pages/howtos/split_view_with_bind_9_howto.php>
#
#  at the behest of
#  Dr. Joe Redacted (redacted1.edu)
#  Dr. Randall Redacted (redacted2.edu)
===
ssh port not on 22
===
distro's standard iptables save ssh port