Re: DNS Injection Problem

[Chip Mefford <cmefford () avwashington com>]

Blade Runner wrote:

> Hi list, I am facing a serious problem here. My client works as an ISP and
> somebody is injecting  parameters in their DNS tables/files. 

This isn't very fun.

> DNS Server: bind 9.2.2  # I am focusing my attention here, looking for 
> bugs.

bind 9.2.2 is really pretty tight.

Have you paid careful attention to the
"allow-update" and "allow-transfer" parameters.

Also, Some folks integrate Windows Active Directory
with bind 9. I don't know anything about that, but
it sounds really scary.

> Here it goes a scanner showing my open ports.
>
> Port       State       Service
> 21/tcp     open        ftp
> 23/tcp     open        telnet

You are running telnet. Lose it unless
there is a REAL good reason for running it.

> 25/tcp     open        smtp
> 53/tcp     open        domain
> 80/tcp     open        http
> 110/tcp    open        pop-3
> 113/tcp    open        auth
> 143/tcp    open        imap2
>
>
>
> In this server we do not allow telnet/rsh or any shell connection.

Yes you do.

> Thanks a lot and sorry about my poor English

Your english is just fine. Don't worry about it.


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------