Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition

From: "Jon R. Kibler" <Jon.Kibler () aset com>
Date: Mon, 28 Jan 2008 13:58:07 -0500
david bizeul wrote:

On 22 Jan 2008 00:55:30 -0000,  <ponchovaldes () gmail com> wrote:

Hello guys, we have a social network that is getting stronger, but we are having an issue.


Hi,

A thoughts.
1) Start with the logs -- what do they show?
   Do you actually see redirects in the Apache logs?
   What do your BIND NS logs show? If you don't have query logging on, turn it on!
2) Run process accounting. Do the numbers add up? If not, you may have a rootkit. PA
   may also be able to show a rogue process, such as a Trojan.
3) Run an independently built, statically linked lsof. Do you have processes without
   filenames? Do you see processes that 'ps -ef' miss? Anything else 'strange' in
   the output?
4) Sniff the network from another box that is in the same collision domain -- and
   one without an IP address. (Put a true hub between your suspect box and the net,
   then sniff hub traffic.)
5) Run arpwatch, again preferably from another box on the collision domain.

Hope this helps.

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494






==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
Previous By Date Next
Previous By Thread Next

Current thread: