phishing site

[Paul A]

Kirk, thanks for the reply, that's the 1st thing I looked at and although I
have dynamic updates setup for a test zone from while back, this particular
zone was not allowing dynamic updates.

I'm just trying to figure out how this happened as I ran rkhunter/unhide and
don't see anything out of the ordinary, md5 looks good for some of my bins I
had signatures for. I also have ACLS on the border router as well as
iptables allowing dns ports only. I think whatever happened had to be
related to bind. 

p.s I searched all my zones and it looks like two zones got changed with the
same wildcard RR's

P

P.A > -----Original Message-----
P.A > From: Kirk [mailto:bind at kirkb.net]
P.A > Sent: Thursday, January 31, 2008 6:10 PM
P.A > To: Paul A
P.A > Cc: bind-users at isc.org
P.A > Subject: Re: phishing site
P.A > 
P.A > Paul A wrote:
P.A > > Hi it looks like my name server, BIND 9.3.2-P1 was used to setup and
P.A > > phishing DNS zone, although the zone might have been setup forwhile.
P.A > > Zone: nhscb.com
P.A > >
P.A > > It looks like someone entered some wildcard records
P.A > >
P.A > > localhost       IN A    127.0.0.1
P.A > > *.bancaroma     IN A    67.62.31.111
P.A > > *.it            IN A    67.62.31.111
P.A > >
P.A > > My question is, is this a case of dns poising, can someone explain
P.A > how It
P.A > > happened and what I can do to prevent it.
P.A > >
P.A > > Thanks,
P.A > >
P.A > > paul
P.A > 
P.A > Paul,
P.A > 
P.A > Do you have allow-update enabled for this zone?
P.A > 
P.A > regards,
P.A > Kirk