phishing site

Paul A razor at meganet.net
Thu Jan 31 22:30:21 UTC 2008 

Chris, 

that zone was in our named.conf file for awhile. I'm the only one with
access to that server and the only thing opened from the outside is DNS to
that server. The additional data was added on two of my zones. So far I cant
find any sign of a compromise as this server pretty much only has bind
running on it.



P.A > -----Original Message-----
P.A > From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
P.A > Behalf Of Chris Buxton
P.A > Sent: Thursday, January 31, 2008 5:19 PM
P.A > To: Paul A
P.A > Cc: bind-users at isc.org
P.A > Subject: Re: phishing site
P.A > 
P.A > Was there a zone defined in your named.conf named nhscb.com, or was
P.A > this cached data? The presence of wildcard records suggests that it's
P.A > an authoritative zone, in which case it's not a case of cache
P.A > poisoning.
P.A > 
P.A > If your server has an authoritative zone that should not be there, one
P.A > of two things happened: Either you or a trusted member of your staff
P.A > put it there and then forgot to document it (or forgot about it, or
P.A > whatever), or someone broke into your server by some non-DNS-protocol
P.A > means and edited your file. There's no DNS attack that would result in
P.A > this, other than a shell-access exploit (which I don't think has been
P.A > seen in quite a while in BIND, but I could be wrong).
P.A > 
P.A > Chris Buxton
P.A > Professional Services
P.A > Men & Mice
P.A > Address: Noatun 17, IS-105, Reykjavik, Iceland
P.A > Phone:   +354 412 1500
P.A > Email:   cbuxton at menandmice.com
P.A > www.menandmice.com
P.A > 
P.A > Men & Mice
P.A > We bring control and flexibility to network management
P.A > 
P.A > This e-mail and its attachments may contain confidential and
P.A > privileged information only intended for the person or entity to which
P.A > it is addressed. If the reader of this message is not the intended
P.A > recipient, you are hereby notified that any retention, dissemination,
P.A > distribution or copy of this e-mail is strictly prohibited. If you
P.A > have received this e-mail in error, please notify us immediately by
P.A > reply e-mail and immediately delete this message and all its
P.A > attachment.
P.A > 
P.A > 
P.A > 
P.A > On Jan 31, 2008, at 1:35 PM, Paul A wrote:
P.A > 
P.A > > Hi it looks like my name server, BIND 9.3.2-P1 was used to setup and
P.A > > phishing DNS zone, although the zone might have been setup forwhile.
P.A > > Zone: nhscb.com
P.A > >
P.A > > It looks like someone entered some wildcard records
P.A > >
P.A > > localhost       IN A    127.0.0.1
P.A > > *.bancaroma     IN A    67.62.31.111
P.A > > *.it            IN A    67.62.31.111
P.A > >
P.A > > My question is, is this a case of dns poising, can someone explain
P.A > > how It
P.A > > happened and what I can do to prevent it.
P.A > >
P.A > > Thanks,
P.A > >
P.A > > paul
P.A > >
P.A > >
P.A > >
P.A > >

More information about the bind-users mailing list