Security Incidents mailing list archives
Re: DNS Injection Problem
From: "Benjamin A. Okopnik" <ben () callahans org>
Date: Mon, 5 May 2003 21:07:26 -0400
On Mon, May 05, 2003 at 02:11:06PM -0300, Blade Runner wrote:
Hi list, I am facing a serious problem here. My client works as an ISP and somebody is injecting parameters in their DNS tables/files. Eventually dial-up costumers are accessing faked home pages ( usually banks ). These attacks were reported to the FPD ( Federal Police Dep ), but they didn't find anything yet. I am looking for a vulnerability in my server but it is a hard thing to do. Maybe you, security masters, can help me with this. This is the server configuration. OS: Slackware 8.1 kernel 2.4.20 DNS Server: bind 9.2.2 # I am focusing my attention here, looking for bugs.
I would actually treat this as a lower priority. The old versions of BIND were pretty ratty; 9 has been fairly solid.
Web Server: apache 1.3.27 + php-4.3.1 + SquirrelMail 1.4.0 Courier-Imap 1.7.1 Qmail 1.03 Proftpd 1.2.8 # no root or anonymous connections Here it goes a scanner showing my open ports. Port State Service 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 113/tcp open auth 143/tcp open imap2
What it looks like is that your client is trying to run a number of services on a single machine, which in this scenario is, IMO, the wrong thing to do; the more services you run on a machine, the higher its probability of being cracked. I would split the services between several machines, run the Web server standalone and in a "chroot" jail that contains minimal tools. If nothing else, this will definitely help in isolating the problem. If the attacker is getting in via one of the other services, it'll all but eliminate it. Just as a side comment, a friend of mine runs several Web servers with no services other than HTTP and SSH showing and no firewall (she's a brave soul, and claims to be doing this as a test.) She's never been cracked, and it's been several years.
In this server we do not allow telnet/rsh or any shell connection.
That's not what your port scan says. Why do you have a telnet daemon running if you don't allow the service? To me, one of the very first steps in securing a Linux box is turning off all the services and enabling only the ones I must (and that only when I'm approached with dental pliers.) Ben Okopnik -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The Computer industry is often very cruel to the English language. There are a lot of ugly phrases we use regularly. "Killer app." "User interface." "Monetize." "Steve Ballmer." -- Sean M. Dugan, in "Puget Sound Computer User" ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- DNS Injection Problem Blade Runner (May 05)
- Re: DNS Injection Problem Danny (May 05)
- Re: DNS Injection Problem Glenn Forbes Fleming Larratt (May 06)
- Re: DNS Injection Problem Blade Runner (May 06)
- Re: DNS Injection Problem David Conrad (May 05)
- OT:Healthcare incidents? Paul Farley (May 06)
- RE: Healthcare incidents? Paul Farley (May 06)
- OT:Healthcare incidents? Paul Farley (May 06)
- Re: DNS Injection Problem Benjamin A. Okopnik (May 06)
- Re: DNS Injection Problem Chip Mefford (May 06)
- Re: DNS Injection Problem Þórhallur Hálfdánarson (May 06)
- Message not available
- Re: DNS Injection Problem Blade Runner (May 06)
- Re: DNS Injection Problem Danny (May 05)
- Re: DNS Injection Problem Stephen P. Berry (May 07)