DNS Injection Problem

["Blade Runner" <blade () seven com br>]

Hi list, I am facing a serious problem here. My client works as an ISP and
somebody is injecting  parameters in their DNS tables/files. Eventually
dial-up costumers are accessing faked home pages ( usually banks ). These
attacks were reported to the FPD ( Federal Police Dep ), but they didn't
find anything yet.

I am looking for a vulnerability in my server but it is a hard thing to do.

Maybe you, security masters, can help me with this.

This is the server configuration.

OS: Slackware 8.1  kernel 2.4.20

DNS Server: bind 9.2.2  # I am focusing my attention here, looking for bugs.

Web Server: apache 1.3.27 + php-4.3.1 + SquirrelMail 1.4.0

Courier-Imap 1.7.1

Qmail 1.03

Proftpd 1.2.8 # no root or anonymous connections

Here it goes a scanner showing my open ports.

Port       State       Service
21/tcp     open        ftp
23/tcp     open        telnet
25/tcp     open        smtp
53/tcp     open        domain
80/tcp     open        http
110/tcp    open        pop-3
113/tcp    open        auth
143/tcp    open        imap2



In this server we do not allow telnet/rsh or any shell connection.

Since I am a newbie, I would appreciate some advices and tips.



Thanks a lot and sorry about my poor English



-- 
Blade Runner - Squirrel Mail
Linux Powered
LICQ 40959703



----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------