phishing site

Thu Jan 31 22:45:34 UTC 2008

This sounds like an argument for some kind of server change auditing.  
A DNS management system should offer decent auditing (Men & Mice Suite  
does), although that won't catch changes not made via the management  
system.

Does your filesystem record both mtime and ctime? If so, you could see  
when the zone file was created, as well as when it was last modified  
(though both values can be faked with root privileges). I'm assuming  
the file's user and group ownership are not helpful here.

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone:   +354 412 1500
Email:   cbuxton at menandmice.com
www.menandmice.com

Men & Mice
We bring control and flexibility to network management

This e-mail and its attachments may contain confidential and  
privileged information only intended for the person or entity to which  
it is addressed. If the reader of this message is not the intended  
recipient, you are hereby notified that any retention, dissemination,  
distribution or copy of this e-mail is strictly prohibited. If you  
have received this e-mail in error, please notify us immediately by  
reply e-mail and immediately delete this message and all its attachment.

On Jan 31, 2008, at 2:30 PM, Paul A wrote:

> Chris,
>
> that zone was in our named.conf file for awhile. I'm the only one with
> access to that server and the only thing opened from the outside is  
> DNS to
> that server. The additional data was added on two of my zones. So  
> far I cant
> find any sign of a compromise as this server pretty much only has bind
> running on it.
>
>
>
> P.A > -----Original Message-----
> P.A > From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org 
> ] On
> P.A > Behalf Of Chris Buxton
> P.A > Sent: Thursday, January 31, 2008 5:19 PM
> P.A > To: Paul A
> P.A > Cc: bind-users at isc.org
> P.A > Subject: Re: phishing site
> P.A >
> P.A > Was there a zone defined in your named.conf named nhscb.com,  
> or was
> P.A > this cached data? The presence of wildcard records suggests  
> that it's
> P.A > an authoritative zone, in which case it's not a case of cache
> P.A > poisoning.
> P.A >
> P.A > If your server has an authoritative zone that should not be  
> there, one
> P.A > of two things happened: Either you or a trusted member of your  
> staff
> P.A > put it there and then forgot to document it (or forgot about  
> it, or
> P.A > whatever), or someone broke into your server by some non-DNS- 
> protocol
> P.A > means and edited your file. There's no DNS attack that would  
> result in
> P.A > this, other than a shell-access exploit (which I don't think  
> has been
> P.A > seen in quite a while in BIND, but I could be wrong).
> P.A >
> P.A > Chris Buxton
> P.A > Professional Services
> P.A > Men & Mice
> P.A > Address: Noatun 17, IS-105, Reykjavik, Iceland
> P.A > Phone:   +354 412 1500
> P.A > Email:   cbuxton at menandmice.com
> P.A > www.menandmice.com
> P.A >
> P.A > Men & Mice
> P.A > We bring control and flexibility to network management
> P.A >
> P.A > This e-mail and its attachments may contain confidential and
> P.A > privileged information only intended for the person or entity  
> to which
> P.A > it is addressed. If the reader of this message is not the  
> intended
> P.A > recipient, you are hereby notified that any retention,  
> dissemination,
> P.A > distribution or copy of this e-mail is strictly prohibited. If  
> you
> P.A > have received this e-mail in error, please notify us  
> immediately by
> P.A > reply e-mail and immediately delete this message and all its
> P.A > attachment.
> P.A >
> P.A >
> P.A >
> P.A > On Jan 31, 2008, at 1:35 PM, Paul A wrote:
> P.A >
> P.A > > Hi it looks like my name server, BIND 9.3.2-P1 was used to  
> setup and
> P.A > > phishing DNS zone, although the zone might have been setup  
> forwhile.
> P.A > > Zone: nhscb.com
> P.A > >
> P.A > > It looks like someone entered some wildcard records
> P.A > >
> P.A > > localhost       IN A    127.0.0.1
> P.A > > *.bancaroma     IN A    67.62.31.111
> P.A > > *.it            IN A    67.62.31.111
> P.A > >
> P.A > > My question is, is this a case of dns poising, can someone  
> explain
> P.A > > how It
> P.A > > happened and what I can do to prevent it.
> P.A > >
> P.A > > Thanks,
> P.A > >
> P.A > > paul
> P.A > >
> P.A > >
> P.A > >
> P.A > >
>
>
>