Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: unapproved update from [166.93.60.5].61946

From: Suzanne.Hernandez () GUNTER AF MIL (Suzanne.Hernandez () GUNTER AF MIL)
Date: Fri, 19 May 2000 13:21:07 -0500

This is called nsupdate and is a "feature" of dns.

These are attempts to remotely add or remove records from the dns cache on
the primary dns server for your domain.  This "feature" uses udp/53 so
unfortunately, there is one and only one place to protect yourself and that
is in your dns config itself.  The feature is turned off by default and has
to be specifically turned on with allow-update to work.  Obviously yours is
turned off.  However, from what I've seen, the feature will have to be
turned on for a windows 2000 machine to automatically register itself with
your dns server.  Also for dhcp.  So if you turn it on, turn it on with
care, from only your network and make sure you have spoofing acl's in your
router.

We have also seen many of these, in 3 months, about 350 attempts from places
like Singapore, Israel, Italy etc.  We have also seen attempts from 3rd
level domains off our 2nd level domain that we run.  In other words, a user
has a windows 2000 machine, his domain is domain.mydomain.com.  He
accidentally puts in mispelleddomain.mydomain.com and when his 2000 machine
tries to register with the dns server for misspelleddomain.mydomain.com, it
sees there is no domain by that name and instead goes to the mydomain.com
primary dns server.

One can set this up to use only tcp 53 instead and that would be the way to
go.

I did a test  and was able (using this feature) to redirect all my mail to a
new exchange server (i.e. the hackers exchange server), tell the hacker's
exchange server to resend the email back to the intended mail server, but
make a copy of each email, thereby hijacking all a sites email and having
access to it without the site even being aware of this.  The other concern
is that nsupdate can send a time to live so the new email record has 100
year time to live and by the time the site realizes the problem and deletes
the record from its cache, its now cached on dns servers throughout the
world for 100 years (or until a reboot).

Suzi Hernandez


-----Original Message-----
From: James Ankenbrandt [SMTP:anken () IX NETCOM COM]
Sent: Wednesday, May 17, 2000 2:50 PM
To:   INCIDENTS () SECURITYFOCUS COM
Subject:      unapproved update from [166.93.60.5].61946

I have been getting these for several days:

May 17 14:17:17 mail named[69]: unapproved update from [166.93.60.5].61946
for [mydomain deleted].com

What would anyone suggest?  I *assume* they are hostile,
but what to do?  As a relative newbie I would be grateful
for suggestions and/or pointers in the correct direction

Jim


begin 600 winmail.dat
M>)\^(C,2`0:0"``$```````!``$``0>0!@`(````Y`0```````#H``$(@`<`
M&````$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`06``P`.````T`<%`!,`
M#0`5``<`!0`=`0$@@`,`#@```-`'!0`3``T`%``R``4`1P$!"8`!`"$```!&
M,#5!03`P-SA",D1$-#$Q0C0R,#`P0S`T1C<W.40S1@`7!P$$@`$`+P```%)%
M.B!U;F%P<')O=F5D('5P9&%T92!F<F]M(%LQ-C8N.3,N-C`N-5TN-C$Y-#8`
MZ@T!#8`$``(````"``(``0.0!@"0#```*P````L``@`!`````P`N``````!`
M`#D`,"]>`+_!OP$>`'```0```"L```!U;F%P<')O=F5D('5P9&%T92!F<F]M
M(%LQ-C8N.3,N-C`N-5TN-C$Y-#8```(!<0`!````&P````&_P0_F_GIS.KTL
M]!'4F,X`D"=AIX4`*SFE0``>`#%``0````L```!(15).04Y$15I3```#`!I`
M`````!X`,$`!````"P```$A%4DY!3D1%6E,```,`&4```````@$)$`$```#$
M!P``P`<```4-``!,6D9U>MH7"@,`"@!R8W!G,3(UTC(`^S,V`>@@`J0#XPD"
M`&-H"L!S970P/B`'$P*#`%`"\A"Y5&$>:`-Q`H,.4!!6<')QVC(163,#QA%E
M?0J`",AL(#L);PXP-0*`"H%U/F,`4`L##-`!P0S!,30R-!FB,C$/0!HB.#@G
M&:(/,1FB-#,9DS4PR1H#-3<:<S8T&N,!P;4=(SD9DS@<\!FB.0\QOQFR&U`:
MXQ\@&N`9HS$.0-D9HS(R&@,.(#D>U`\PMQ]4&?$9HS4.(")D."#4_#8U'M0!
MP!]4'\$D9!F%^CD9]3`:91]`&N,:4AH3;C(;M">P'")C`$$+8&ZY#A`P,Q51
M"\03`&@$`*H@*?%C!T!L"8`@`("`=7!D871E(`!P@RJ@*?%A(")F92L0`0AP
M92(@;V8@9/T`@"X*H@J$"H`IT`>0*S%G"7`K0`)`96T%,`0@=)QO(`EP!&`K
M(&QY*T#N9"J@!;$O$G8K,`EP!:'^9`0@`U(NT"W`+*(J01#0_RLP`B`Q0Q1@
M!W`*P"^`,9*]$1!R,%`%P`(0!<!Y"&%G+*`#<0N`+B`IQ"OH=0,1$`0@=61P
M+S4SLS-0+O!U;C/1+"!N*Q']+W`L,4(N(2GQ`B`K-`(@]R]Q.%(+46,K,"[A
M%&`O0>YC!4`T$A$0;"R0*U(Q4#\K$"H2"X`T!3&B`B!F:?YG*A`NL#K!-,,K
M,"OU*A+/+"$X8"_!`2`@8C,!`1!X875L!4`K4A#@+L-B^2LP<W`%D`:0#>`J
M82^`/SYV`Z`#\#%0*T`J<&]W5BTJY2[A=P6P:S3!3^AB=FD(8',O<3IS/CQU
M-,%(0J!E,Y$WH#$#=_D[4DDG,%$1$`GP-Z,]M_\#\"IP0`$P44!408@STBO`
M_P/P*V!"H`0@'7$10`#!*>#?.&$NX3^`+N``P'1!%0EP_F<$`"L@!<`\]$(4
M._<S9)DTP4%L-J$STF1H#?#]-,%3+O`&D#0"/F,\X3(A_S>A40="%"I0"7!&
M53C3-!/=.&!T0W(K0P#`:T"1/@+W4+)(TT"P;RR`"X`\T`#0?&PG.Z@#8$P0
M3P(L^E>_*S!(TP=`-J%'8DM!;CD!_RR0,5$1$#>@.\$V@`1@`C#\:',WH`&@
M5W%:T!P0+DBG,0,Y8P0@;&E4X5-6089A5@!2TDES<F$O8.]>40&0+W$1(&,T
MP5BO7!W^,PL@76!&$0,@-&0X,3[Q_30B,BMA8?H[-$8`+P`VT/TTP4D#H"]`
M-]%#8C#06V'_-=(%P$`22F]+<S>@*>)C];%HARYM>31E!:!M1;*]*S%C0.`!
M``(P03-P3!#].Z-M!`!`P"IR:5\Q(2M2_T;`69$IXDL,"($NQ4T%0B/_,58S
M:6PQ;%]I]UJ1!4!'8?LNP3?6;B[P8_4_(3M#-T`?!X`K1`"`*R`OH"!G;[]O
MU#%2;3LRKT\0+/I/.&'_*E`#H!$1,4$I\2K@+M(UX?\XQ%]@?!`V<7;V.P=#
M<#^0YRJ@25(Q87=A06$N\'=P^S3!+/I)+*!K$"NQ*R!-(-\TT&X#9L("8"LP
M*#7@5D+[>[,K]2DNU(#@,($_L4BA/VG`2T$#$4O24_$'X&5X#Q#1*.!'0C.#
M*&DN97<TP#%2$.!C5.!$L87=*?\WH7*1ARE6L87>+N,1$#L3]RLP+H"%`F*'
M@7>V"X`K(-\K8"J1A/,S9#>@8ENQ5,/[*\`%H'!9\RP`$-",!#>E^S\A*>!J
MAX%60TBA*\``D/^!08P%/]1$`%9373$NPU%!?T(B6Z(Q4I("7T`P4'7!9?]6
M0W]`+B%:$P0`/55E=#R!_SF041)TDG8R*M9[-"MA@2'_!W$NTEUP1S)WU(63
MA/,PA/]``Q\A-``L`(L1F?HK4G7CGSFAF?.4U@EP!T!I>G2$_SGB@C%MY`$`
M*H"2(C%2F\7_,0,\\3'$=!)U(@?@,=-!T_<S*'225V%GE'=#<7ZA,]+[G'8$
M("@%L3;03&"1PI"Q^580="DLZPKT*(`,%`/0PP\P+/13=7II:J$$H-DK465Z
M"B`!0&D"T1(!_G,D(*C:$[,:8*C:77`>PO4Y]BVO0D\%$$T`-T`#(/I-DZ%A
MAC"O0RSV.@2NH><+$SH$`@!I+1GC77`DHM$9MF(@1@-A.@R#JZ`L($IV<17!
M;E3@;F('7I`K8`5`6U--5%`&.@!PM8%`25@N3D!%5$-/32ZW05W_+/6T$`9@
M`C"T=U^P++`'D'LK`#>137]1)"`WH$L#,I(Z6_%03;?'5&^T=P!)3D-)1$5.
M5`!30%-%0U522=!4649/O1!3MW*WR+AU8FHZ,;1W-S%P.?$O,%`JH"KE,0-;
M&F`V+L4>L"X/0"XU7<%P):'_K9>Q;[)RKF099!5##`&`=?](TT"`69&&,`)`
M@J0MTC/2[Q$0,Y&O\;F!<[1P+0FYU'F<8#0Z)"#)D83D=F)DX%LV.5TZOX_`
MG\&M[3/26VG&H.5DP<!J45?K;WXX6=$X4BK09X8P32`_N64A("I`("K0!X`J
M,4+_+X$N(1,P32`#$%+@+/2.DN]&PR[A-&#1\4$KH@EP"V#W3&`P48618@B0
MTA%^=PG`_2L19C^0S:C1A400!C$K4?XO!;%6`(TR1+(R1`6AA#-WA!38X2SZ
M2@=P+/0640`!W4`>`$(0`0```#4````\-"XS+C$N,BXR,#`P,#4Q-S$U-#$P
M,2XP,&(P,SAD,$!P;W!D+FEX+FYE=&-O;2YC;VT^``````L`!(`((`8`````
M`,````````!&``````.%`````````P``@`@@!@``````P````````$8`````
M4H4``/,5```>``&`""`&``````#`````````1@````!4A0```0````4````X
M+C`T``````,``X`((`8``````,````````!&``````&%````````"P`%@`@@
M!@``````P````````$8`````#H4````````#``:`""`&``````#`````````
M1@`````0A0````````,`!X`((`8``````,````````!&`````!&%````````
M`P`(@`@@!@``````P````````$8`````&(4````````>``F`""`&``````#`
M````````1@`````VA0```0````$`````````'@`*@`@@!@``````P```````
M`$8`````-X4```$````!`````````!X`"X`((`8``````,````````!&````
M`#B%```!`````0`````````#`/$_"00```,`_3_D!````P`F```````#`#8`
M``````,`@!#_____`@%'``$````J````8SU54SMA/41-4SML/4932E5"2C`W
M+3`P,#4Q.3$X,C$P-UHM,C@W,3$````>`#A``0````L```!(15).04Y$15I3
M```>`#E``0````L```!(15).04Y$15I3``!```<PULQ;`+_!OP%```@P.$G3
M];[!OP$>`#T``0````4```!213H@`````!X`'0X!````*P```'5N87!P<F]V
M960@=7!D871E(&9R;VT@6S$V-BXY,RXV,"XU72XV,3DT-@``'@`U$`$```!$
M````/$%!0C0W13@V0S<R,40T,3%".39",#`Y,#(W0C$Q131&-C0W,#8V0&9S
M:G5B:C`W+G-S9RYG=6YT97(N868N;6EL/@`+`"D```````L`(P```````P`&
M$!C9<DX#``<0YP<```,`$!```````P`1$``````>``@0`0```&4```!42$E3
M25-#04Q,141.4U501$%414%.1$E302)&14%455)%(D]&1$Y35$A%4T5!4D5!
M5%1%35!44U1/4D5-3U1%3%E!1$1/4E)%34]615)%0T]21%-&4D]-5$A%1$Y3
M0T%#2$5/``````(!?P`!````1````#Q!04(T-T4X-D,W,C%$-#$Q0CDV0C`P
M.3`R-T(Q,44T1C8T-S`V-D!F<VIU8FHP-RYS<V<N9W5N=&5R+F%F+FUI;#X`
";J$=
`
end
Previous By Date Next
Previous By Thread Next

Current thread: