Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Hack - DNS cache poisoning resurfacing on MS DNS?

From: "Vidovic,Zvonimir,VEVEY,GL-IS/CIS" <Zvonimir.Vidovic () nestle com>
Date: Thu, 17 Jan 2002 15:32:10 +0100
hi there,

We obviously got some cache poisoning recently.
FYI: we are using MS DNS.
Anyone got the same problems???

I've seen nothing on our IDS...

PS: I CCed dnsmaster () ns3 domainname at just to check if he's aware of
this...

here's the stuff:
It looks definitely like the old DNS cache poisoning trick:



HERE:

C:\WINDOWS>ping www.vmyths.com

Pinging www.vmyths.com [212.69.172.16] with 32 bytes of data:

Reply from 212.69.172.16: bytes=32 time=97ms TTL=241
Reply from 212.69.172.16: bytes=32 time=43ms TTL=241
Reply from 212.69.172.16: bytes=32 time=27ms TTL=241
Reply from 212.69.172.16: bytes=32 time=27ms TTL=241

Ping statistics for 212.69.172.16:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum =  97ms, Average =  48ms


THERE:

www.vmyths.com
Name:    vmyths.com
Address:  216.217.111.18
Aliases:  www.vmyths.com

let's see if this comes from some poisoning and so on...


if we look the SOA records from a distant site, we get this:


set q=SOA
vmyths.com

vmyths.com
        origin = dns9.register.com
        mail addr = root.register.com
        serial = 2000011705
        refresh = 10800 (3H)
        retry   = 86400 (1D)
        expire  = 604800 (1W)
        minimum ttl = 3600 (1H)
vmyths.com      nameserver = dns9.register.com
vmyths.com      nameserver = dns10.register.com

whereas if we look at them from our point of view:


set q=SOA
vmyths.com

        vmyths.com

        origin = ns3.domainname.at
        mail address = dnsmaster.ns3.domainname.at
        serial = 1009665720
        refresh = 1800 (30M)
        retry   = 600 (10M)
        expire  = 1800 (30M)
        minimum ttl = 1800 (30M)




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: