phishing site
Mark Andrews
Mark_Andrews at isc.org
Fri Feb 1 00:33:26 UTC 2008
> Kirk, thanks for the reply, that's the 1st thing I looked at and although I
> have dynamic updates setup for a test zone from while back, this particular
> zone was not allowing dynamic updates.
Also named wouldn't write the entry as:
*.bancaroma IN A 67.62.31.111
named would have written it as:
$ORIGIN bancaroma.nhscb.com.
* A 67.62.31.111
> I'm just trying to figure out how this happened as I ran rkhunter/unhide and
> don't see anything out of the ordinary, md5 looks good for some of my bins I
> had signatures for. I also have ACLS on the border router as well as
> iptables allowing dns ports only. I think whatever happened had to be
> related to bind.
Unless you do *all* your administration at the console you
have other paths into the machine. Examine those paths.
> p.s I searched all my zones and it looks like two zones got changed with the
> same wildcard RR's
>
> P
>
> P.A > -----Original Message-----
> P.A > From: Kirk [mailto:bind at kirkb.net]
> P.A > Sent: Thursday, January 31, 2008 6:10 PM
> P.A > To: Paul A
> P.A > Cc: bind-users at isc.org
> P.A > Subject: Re: phishing site
> P.A >
> P.A > Paul A wrote:
> P.A > > Hi it looks like my name server, BIND 9.3.2-P1 was used to setup and
> P.A > > phishing DNS zone, although the zone might have been setup forwhile.
> P.A > > Zone: nhscb.com
> P.A > >
> P.A > > It looks like someone entered some wildcard records
> P.A > >
> P.A > > localhost IN A 127.0.0.1
> P.A > > *.bancaroma IN A 67.62.31.111
> P.A > > *.it IN A 67.62.31.111
> P.A > >
> P.A > > My question is, is this a case of dns poising, can someone explain
> P.A > how It
> P.A > > happened and what I can do to prevent it.
> P.A > >
> P.A > > Thanks,
> P.A > >
> P.A > > paul
> P.A >
> P.A > Paul,
> P.A >
> P.A > Do you have allow-update enabled for this zone?
> P.A >
> P.A > regards,
> P.A > Kirk
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list