bind 9 goes rogue and revert zone information
Reindl Harald
h.reindl at thelounge.net
Tue Feb 7 22:37:43 UTC 2017
Am 07.02.2017 um 23:31 schrieb Alberto Colosi:
> lucky you say
>
> zombie host and hijacked resourced poisoned DNS are not an hack
>
> In years as Security Desk Seat I had at leat one attack from zombie
> hosts from a US University. Admins even not known was hacked.
>
> Target of hackers is not only credit cards or other so valuable things.
> Even only a zombie host is a valuable item for them.
yeah, but why should they be so dumb and set your dns zone to the values
24 hours before so that you notice the issue and much better question:
from where do they have the exactly data of your own zone 24 hours before?
try "chattr +i" on your zonefile so that it can't be touched and with
some luck the stuff trying to replace it will error out in cronmails or
syslog
> ------------------------------------------------------------------------
> *From:* bind-users <bind-users-bounces at lists.isc.org> on behalf of Alan
> Clegg <alan at clegg.com>
> *Sent:* Tuesday, February 7, 2017 10:48 PM
> *To:* bind-users at lists.isc.org
> *Subject:* Re: bind 9 goes rogue and revert zone information
>
> On 2/7/17 8:42 AM, Alberto Colosi wrote:
>> IP ports not open does not mean is not hacked.
>>
>> a vulnerability can be used to make a change or an access
>
> Occam's razor... if you were a hacker and broke into someone's DNS
> server, would the thing that you focus on be resetting the data every 24
> hours?
>
> This isn't a hack, this is a screwed up backup/restore or virtualization
> configuration.
>
> Don't waste time chasing ghosts
More information about the bind-users
mailing list