phishing site

Mark Andrews Mark_Andrews at isc.org
Fri Feb 1 00:33:26 UTC 2008 

> Kirk, thanks for the reply, that's the 1st thing I looked at and although I
> have dynamic updates setup for a test zone from while back, this particular
> zone was not allowing dynamic updates.

	Also named wouldn't write the entry as:

		*.bancaroma     IN A    67.62.31.111

	named would have written it as:

		$ORIGIN bancaroma.nhscb.com.
		*		A	67.62.31.111
 
> I'm just trying to figure out how this happened as I ran rkhunter/unhide and
> don't see anything out of the ordinary, md5 looks good for some of my bins I
> had signatures for. I also have ACLS on the border router as well as
> iptables allowing dns ports only. I think whatever happened had to be
> related to bind. 

	Unless you do *all* your administration at the console you
	have other paths into the machine.  Examine those paths.
 
> p.s I searched all my zones and it looks like two zones got changed with the
> same wildcard RR's
> 
> P
> 
> P.A > -----Original Message-----
> P.A > From: Kirk [mailto:bind at kirkb.net]
> P.A > Sent: Thursday, January 31, 2008 6:10 PM
> P.A > To: Paul A
> P.A > Cc: bind-users at isc.org
> P.A > Subject: Re: phishing site
> P.A > 
> P.A > Paul A wrote:
> P.A > > Hi it looks like my name server, BIND 9.3.2-P1 was used to setup and
> P.A > > phishing DNS zone, although the zone might have been setup forwhile.
> P.A > > Zone: nhscb.com
> P.A > >
> P.A > > It looks like someone entered some wildcard records
> P.A > >
> P.A > > localhost       IN A    127.0.0.1
> P.A > > *.bancaroma     IN A    67.62.31.111
> P.A > > *.it            IN A    67.62.31.111
> P.A > >
> P.A > > My question is, is this a case of dns poising, can someone explain
> P.A > how It
> P.A > > happened and what I can do to prevent it.
> P.A > >
> P.A > > Thanks,
> P.A > >
> P.A > > paul
> P.A > 
> P.A > Paul,
> P.A > 
> P.A > Do you have allow-update enabled for this zone?
> P.A > 
> P.A > regards,
> P.A > Kirk
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list