Security Incidents mailing list archives
Re: DNS Injection Problem
From: David Conrad <david.conrad () nominum com>
Date: Mon, 5 May 2003 17:22:49 -0700
Hi,Unless the attacker has access to the wire DNS queries are going over, DNS cache poisoning is possible, albeit difficult to implement, particularly with BIND 9.2.2.
If the attacker does have access to the wire (e.g., via a compromised host where they can run tcpdump or equivalent), DNS cache poisoning or cache impersonation becomes trivial (see http://freshmeat.net/projects/dnshijacker/). If this is a possibility, might try moving your name server to a dedicated box on a dedicated switch port (if that is an option).
Rgds, -drc On Monday, May 5, 2003, at 10:11 AM, Blade Runner wrote:
Hi list, I am facing a serious problem here. My client works as an ISP andsomebody is injecting parameters in their DNS tables/files. Eventuallydial-up costumers are accessing faked home pages ( usually banks ). These attacks were reported to the FPD ( Federal Police Dep ), but they didn'tfind anything yet.I am looking for a vulnerability in my server but it is a hard thing to do.Maybe you, security masters, can help me with this. This is the server configuration. OS: Slackware 8.1 kernel 2.4.20DNS Server: bind 9.2.2 # I am focusing my attention here, looking for bugs.Web Server: apache 1.3.27 + php-4.3.1 + SquirrelMail 1.4.0 Courier-Imap 1.7.1 Qmail 1.03 Proftpd 1.2.8 # no root or anonymous connections Here it goes a scanner showing my open ports. Port State Service 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 113/tcp open auth 143/tcp open imap2 In this server we do not allow telnet/rsh or any shell connection. Since I am a newbie, I would appreciate some advices and tips. Thanks a lot and sorry about my poor English-- Blade Runner - Squirrel MailLinux Powered LICQ 40959703----------------------------------------------------------------------- ----- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, theworld's premier event for IT and network security experts. The two-dayTraining features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today toensure your place. http://www.securityfocus.com/BlackHat-incidents----------------------------------------------------------------------- -----
----------------------------------------------------------------------------Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- DNS Injection Problem Blade Runner (May 05)
- Re: DNS Injection Problem Danny (May 05)
- Re: DNS Injection Problem Glenn Forbes Fleming Larratt (May 06)
- Re: DNS Injection Problem Blade Runner (May 06)
- Re: DNS Injection Problem David Conrad (May 05)
- OT:Healthcare incidents? Paul Farley (May 06)
- RE: Healthcare incidents? Paul Farley (May 06)
- OT:Healthcare incidents? Paul Farley (May 06)
- Re: DNS Injection Problem Benjamin A. Okopnik (May 06)
- Re: DNS Injection Problem Chip Mefford (May 06)
- Re: DNS Injection Problem Þórhallur Hálfdánarson (May 06)
- Message not available
- Re: DNS Injection Problem Blade Runner (May 06)
- Re: DNS Injection Problem Danny (May 05)
- Re: DNS Injection Problem Stephen P. Berry (May 07)