Re: DNS Injection Problem

["Benjamin A. Okopnik" <ben () callahans org>]

On Mon, May 05, 2003 at 02:11:06PM -0300, Blade Runner wrote:
> Hi list, I am facing a serious problem here. My client works as an ISP and
> somebody is injecting  parameters in their DNS tables/files. Eventually
> dial-up costumers are accessing faked home pages ( usually banks ). These
> attacks were reported to the FPD ( Federal Police Dep ), but they didn't
> find anything yet.
>
> I am looking for a vulnerability in my server but it is a hard thing to do.
>
> Maybe you, security masters, can help me with this.
>
> This is the server configuration.
>
> OS: Slackware 8.1  kernel 2.4.20
>
> DNS Server: bind 9.2.2  # I am focusing my attention here, looking for bugs.
 
I would actually treat this as a lower priority. The old versions of
BIND were pretty ratty; 9 has been fairly solid.

> Web Server: apache 1.3.27 + php-4.3.1 + SquirrelMail 1.4.0
>
> Courier-Imap 1.7.1
>
> Qmail 1.03
>
> Proftpd 1.2.8 # no root or anonymous connections
>
> Here it goes a scanner showing my open ports.
>
> Port       State       Service
> 21/tcp     open        ftp
> 23/tcp     open        telnet
> 25/tcp     open        smtp
> 53/tcp     open        domain
> 80/tcp     open        http
> 110/tcp    open        pop-3
> 113/tcp    open        auth
> 143/tcp    open        imap2

What it looks like is that your client is trying to run a number of
services on a single machine, which in this scenario is, IMO, the wrong
thing to do; the more services you run on a machine, the higher its
probability of being cracked. I would split the services between several
machines, run the Web server standalone and in a "chroot" jail that
contains minimal tools. If nothing else, this will definitely help in
isolating the problem. If the attacker is getting in via one of the
other services, it'll all but eliminate it.

Just as a side comment, a friend of mine runs several Web servers with
no services other than HTTP and SSH showing and no firewall (she's a
brave soul, and claims to be doing this as a test.) She's never been
cracked, and it's been several years.

> In this server we do not allow telnet/rsh or any shell connection.
 
That's not what your port scan says. Why do you have a telnet daemon
running if you don't allow the service? To me, one of the very first
steps in securing a Linux box is turning off all the services and
enabling only the ones I must (and that only when I'm approached with
dental pliers.)


Ben Okopnik
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The Computer industry is often very cruel to the English language.
There are a lot of ugly phrases we use regularly. "Killer app." "User
interface." "Monetize." "Steve Ballmer." 
 -- Sean M. Dugan, in "Puget Sound Computer User"

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------