Security Basics mailing list archives
DNS, Man-in-the-middle??
From: Stephen Pedrosa Eilert <spedrosa () mailandnews com>
Date: Wed, 6 Aug 2003 03:24:02 -0300 (BRT)
---------- Forwarded message ---------- Date: Wed, 6 Aug 2003 03:15:09 -0300 (BRT) From: Stephen Pedrosa Eilert <spedrosa () mailandnews com> To: "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ () SECURITYFOCUS COM> Subject: DNS, Man-in-the-middle?? Posted by mistake on the bugtraq list. Posting here now --------------------------------------- I has troubleshooting a network problem in some of my computers(will be called Elderbrain in the remainder of this message) Apparently, it wasn't receiving any information from my home server(DHCP, DNS cache, NAT, Firewall, called Speaker). So, I configured the interface manually, using my ISP's DNS server and tried to SSH to Speaker. To my surprise, the following message appeared: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The RSA host key for speaker has changed, and the key for the according IP address 204.91.156.55 is unknown. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is b7:40:14:87:ab:13:fe:9c:90:1f:d3:11:43:dd:59:50. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:1 RSA host key for speaker has changed and you have requested strict checking. Host key verification failed. Of course, my ISP's DNS server knows nothing about a system called 'speaker', but it replied anyway. Using 'host' on that IP address returns: 55.156.91.204.in-addr.arpa domain name pointer capawl01.adytumsolutions.com Incidentally, whenever I mistype a URL, the homepage for that company appears. Running NMAP on the IP gives me: Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on capawl01.adytumsolutions.com (204.91.156.55): (The 1544 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 143/tcp closed imap2 443/tcp open https 993/tcp closed imaps 5801/tcp closed vnc-1 6001/tcp closed X11:1 8080/tcp open http-proxy Remote operating system guess: Linux Kernel 2.4.0 - 2.4.17 (X86) Uptime 160.370 days (since Wed Feb 26 18:18:39 2003) Some suspicious services, if you ask me. So, how should I proceed from now? Is it possible that the misconfiguration is with my computer and not theirs? I find it to be unlikely. It is behind my ISP NAT for my building(so it can only receive incoming connections from computers inside the building, even then I have blocked SYN packets at the firewall). Elderbrain is behind Speaker's NAT. Both are Linux systems. But how can I be sure? I want to be 100% sure if I am to contact them. []'s Stephen Pedrosa Eilert 'Commit yourself to quality from day one ... it's better to do nothing at all than to do something badly.' -Mark H. McCormack --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- DNS, Man-in-the-middle?? Stephen Pedrosa Eilert (Aug 06)
- Re: DNS, Man-in-the-middle?? David (Aug 11)
- Message not available
- Re: DNS, Man-in-the-middle?? David (Aug 13)
- Message not available
- Re: DNS, Man-in-the-middle?? David (Aug 11)