Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition

["Stephen John Smoogen" <smooge () gmail com>]

On Jan 22, 2008 8:04 PM, Jeff Plewes <plewes () gmail com> wrote:
> We have a similar problem on one of our co-location servers:
>
> - centos5 i386
> - apache 2.2.3-11.el5.centos (2.2.6 backport)
> - php 5.2.5 (compiled from source)
>
> The issue appears at random..   when it is present, a request to the
> web server will respond with a redirect to a spyware or malware
> download site.   This will continue to redirect 10% of the traffic to
> the box until httpd is restarted.  The redirection script is not found
> in any file on the server filesystem and believed to be injected into
> the response stream via a compromised httpd process in memory.
>
> This issue was happening on the same box when It used to be apache
> 2.0.56, php 5.1.0 running redhat 9.  upgrading the distribution,
> apache, php etc has so far not resolved the issue.
>
> At this point we are upgrading to apache 2.2.3-11.el5.centos.3 (2.2.8
> backport) in hopes that the recent security patches in this build
> relating to XSS will solve the issue.
>
> I would really like to find the source of the problem, though.
>
> -Jeff

Hmmm I wonder if its related to the Javascript hack that people have
been seeing at isc.sans.org and other places.

http://isc.sans.org/diary.html?date=2008-01-18


-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"