bind 9 goes rogue and revert zone information
Alberto Colosi
alcol at hotmail.com
Tue Feb 7 22:52:16 UTC 2017
The truth is to solve it not to ask what an hacker (maybe a child runned a tool found on internet as virus toolkits).
To quote me is not a solution to the issue.
Good your last line only on your last mail.
----- Reply message -----
From: "Reindl Harald" <h.reindl at thelounge.net>
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: bind 9 goes rogue and revert zone information
Date: Tue, Feb 7, 2017 23:38
Am 07.02.2017 um 23:31 schrieb Alberto Colosi:
> lucky you say
>
> zombie host and hijacked resourced poisoned DNS are not an hack
>
> In years as Security Desk Seat I had at leat one attack from zombie
> hosts from a US University. Admins even not known was hacked.
>
> Target of hackers is not only credit cards or other so valuable things.
> Even only a zombie host is a valuable item for them.
yeah, but why should they be so dumb and set your dns zone to the values
24 hours before so that you notice the issue and much better question:
from where do they have the exactly data of your own zone 24 hours before?
try "chattr +i" on your zonefile so that it can't be touched and with
some luck the stuff trying to replace it will error out in cronmails or
syslog
> ------------------------------------------------------------------------
> *From:* bind-users <bind-users-bounces at lists.isc.org> on behalf of Alan
> Clegg <alan at clegg.com>
> *Sent:* Tuesday, February 7, 2017 10:48 PM
> *To:* bind-users at lists.isc.org
> *Subject:* Re: bind 9 goes rogue and revert zone information
>
> On 2/7/17 8:42 AM, Alberto Colosi wrote:
>> IP ports not open does not mean is not hacked.
>>
>> a vulnerability can be used to make a change or an access
>
> Occam's razor... if you were a hacker and broke into someone's DNS
> server, would the thing that you focus on be resetting the data every 24
> hours?
>
> This isn't a hack, this is a screwed up backup/restore or virtualization
> configuration.
>
> Don't waste time chasing ghosts
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list