phishing site
Chris Buxton
cbuxton at menandmice.com
Thu Jan 31 22:18:44 UTC 2008
Was there a zone defined in your named.conf named nhscb.com, or was
this cached data? The presence of wildcard records suggests that it's
an authoritative zone, in which case it's not a case of cache poisoning.
If your server has an authoritative zone that should not be there, one
of two things happened: Either you or a trusted member of your staff
put it there and then forgot to document it (or forgot about it, or
whatever), or someone broke into your server by some non-DNS-protocol
means and edited your file. There's no DNS attack that would result in
this, other than a shell-access exploit (which I don't think has been
seen in quite a while in BIND, but I could be wrong).
Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: cbuxton at menandmice.com
www.menandmice.com
Men & Mice
We bring control and flexibility to network management
This e-mail and its attachments may contain confidential and
privileged information only intended for the person or entity to which
it is addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any retention, dissemination,
distribution or copy of this e-mail is strictly prohibited. If you
have received this e-mail in error, please notify us immediately by
reply e-mail and immediately delete this message and all its attachment.
On Jan 31, 2008, at 1:35 PM, Paul A wrote:
> Hi it looks like my name server, BIND 9.3.2-P1 was used to setup and
> phishing DNS zone, although the zone might have been setup forwhile.
> Zone: nhscb.com
>
> It looks like someone entered some wildcard records
>
> localhost IN A 127.0.0.1
> *.bancaroma IN A 67.62.31.111
> *.it IN A 67.62.31.111
>
> My question is, is this a case of dns poising, can someone explain
> how It
> happened and what I can do to prevent it.
>
> Thanks,
>
> paul
>
>
>
>
More information about the bind-users
mailing list