phishing site

Chris Buxton cbuxton at menandmice.com
Thu Jan 31 22:18:44 UTC 2008


Was there a zone defined in your named.conf named nhscb.com, or was  
this cached data? The presence of wildcard records suggests that it's  
an authoritative zone, in which case it's not a case of cache poisoning.

If your server has an authoritative zone that should not be there, one  
of two things happened: Either you or a trusted member of your staff  
put it there and then forgot to document it (or forgot about it, or  
whatever), or someone broke into your server by some non-DNS-protocol  
means and edited your file. There's no DNS attack that would result in  
this, other than a shell-access exploit (which I don't think has been  
seen in quite a while in BIND, but I could be wrong).

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone:   +354 412 1500
Email:   cbuxton at menandmice.com
www.menandmice.com

Men & Mice
We bring control and flexibility to network management

This e-mail and its attachments may contain confidential and  
privileged information only intended for the person or entity to which  
it is addressed. If the reader of this message is not the intended  
recipient, you are hereby notified that any retention, dissemination,  
distribution or copy of this e-mail is strictly prohibited. If you  
have received this e-mail in error, please notify us immediately by  
reply e-mail and immediately delete this message and all its attachment.



On Jan 31, 2008, at 1:35 PM, Paul A wrote:

> Hi it looks like my name server, BIND 9.3.2-P1 was used to setup and
> phishing DNS zone, although the zone might have been setup forwhile.
> Zone: nhscb.com
>
> It looks like someone entered some wildcard records
>
> localhost       IN A    127.0.0.1
> *.bancaroma     IN A    67.62.31.111
> *.it            IN A    67.62.31.111
>
> My question is, is this a case of dns poising, can someone explain  
> how It
> happened and what I can do to prevent it.
>
> Thanks,
>
> paul
>
>
>
>



More information about the bind-users mailing list