Security Incidents: Re: DNS Injection Problem

[David Conrad <david.conrad () nominum com>]

Hi,

Unless the attacker has access to the wire DNS queries are going over,  
DNS cache poisoning is possible, albeit difficult to implement,  
particularly with BIND 9.2.2.
If the attacker does have access to the wire (e.g., via a compromised  
host where they can run tcpdump or equivalent), DNS cache poisoning or  
cache impersonation becomes trivial (see  
http://freshmeat.net/projects/dnshijacker/).  If this is a possibility,  
might try moving your name server to a dedicated box on a dedicated  
switch port (if that is an option).
Rgds,
-drc

On Monday, May 5, 2003, at 10:11  AM, Blade Runner wrote:

> Hi list, I am facing a serious problem here. My client works as an ISP  
> and
> somebody is injecting  parameters in their DNS tables/files. Eventually
> dial-up costumers are accessing faked home pages ( usually banks ).  
> These
> attacks were reported to the FPD ( Federal Police Dep ), but they  
> didn't
> find anything yet.
>
> I am looking for a vulnerability in my server but it is a hard thing  
> to do.
> Maybe you, security masters, can help me with this.
>
> This is the server configuration.
>
> OS: Slackware 8.1  kernel 2.4.20
>
> DNS Server: bind 9.2.2  # I am focusing my attention here, looking for  
> bugs.
> Web Server: apache 1.3.27 + php-4.3.1 + SquirrelMail 1.4.0
>
> Courier-Imap 1.7.1
>
> Qmail 1.03
>
> Proftpd 1.2.8 # no root or anonymous connections
>
> Here it goes a scanner showing my open ports.
>
> Port       State       Service
> 21/tcp     open        ftp
> 23/tcp     open        telnet
> 25/tcp     open        smtp
> 53/tcp     open        domain
> 80/tcp     open        http
> 110/tcp    open        pop-3
> 113/tcp    open        auth
> 143/tcp    open        imap2
>
>
>
> In this server we do not allow telnet/rsh or any shell connection.
>
> Since I am a newbie, I would appreciate some advices and tips.
>
>
>
> Thanks a lot and sorry about my poor English
>
>
>
> --  
> Blade Runner - Squirrel Mail
> Linux Powered
> LICQ 40959703
>
>
>
> ----------------------------------------------------------------------- 
> -----
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,  
> the
> world's premier event for IT and network security experts.  The two-day
> Training features 6 hand-on courses on May 12-13 taught by  
> professionals.
> The two-day Briefings on May 14-15 features 24 top speakers with no  
> vendor
> sales pitches.  Deadline for the best rates is April 25.  Register  
> today to
> ensure your place. http://www.securityfocus.com/BlackHat-incidents
> ----------------------------------------------------------------------- 
> -----

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------