Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition

[Graeme Fowler <G.E.Fowler () lboro ac uk>]

On Mon, 2008-01-28 at 11:59 -0500, Jeff Plewes wrote:
> Update,
>
> The problem box:
> - centos 5 base, updated via yum from default repository.
> - httpd 2.2.3-11.el5_1.centos.3 (2.2.8 backport?)
> - php 5.2.5 compiled from source
> - courier-authlib 0.60.2 compiled from source
> - courier-imap-4.3.0 compiled from source
> - exim 4.69 compiled from source
> - proftpd 1.3.1 compiled from source
>
> I have no control panel of any sort installed.

Do you exert *any* control over your customers' content?

> The box was running RH9.. had the issue.. formatted and replaced with
> fresh install of centos 5... copied over customer vhosts..

I guess not :)

> Gets hit again within days.

Highly likely. The commonality between the systems is your customers,
who I would either finger directly as the culprits or their sites.
Anyone running an outdated "Nuke" of any type, for example? Menalto
Gallery? Real old Actinic shopping carts, anything like that?

> I have many other hosts in the datacenter with various configurations
> but all would have had the same apache, php, ssh, ssl versions as this
> box before at RH9. None of them have been hit.. none of them however,
> contain exim, courier, or proftpd

I would personally be *extremely* surprised to find any of these three
being the entry point, especially given the versions you mention.

My finger points at PHP, indirectly, through a hole in an application
giving a remote attacker local user privs. Once they're in your system,
all bets are off - even if they're not root yet, they could be sometime
soon.

Graeme