FW: Hack - DNS cache poisoning resurfacing on MS DNS?
From: Vidovic,Zvonimir,VEVEY,GL-IS/CIS (Zvonimir.Vidovic@nestle.com)Date: 01/17/02
- Previous message: GeekSpooky@aol.com: "Re: Trojans that use LDAP"
- Next in thread: David Ulevitch: "Re: FW: Hack - DNS cache poisoning resurfacing on MS DNS?"
- Reply: David Ulevitch: "Re: FW: Hack - DNS cache poisoning resurfacing on MS DNS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Vidovic,Zvonimir,VEVEY,GL-IS/CIS" <Zvonimir.Vidovic@nestle.com> To: incidents@securityfocus.com Date: Thu, 17 Jan 2002 15:32:10 +0100
hi there,
We obviously got some cache poisoning recently.
FYI: we are using MS DNS.
Anyone got the same problems???
I've seen nothing on our IDS...
PS: I CCed dnsmaster@ns3.domainname.at just to check if he's aware of
this...
here's the stuff:
It looks definitely like the old DNS cache poisoning trick:
> HERE:
>
> C:\WINDOWS>ping www.vmyths.com
>
> Pinging www.vmyths.com [212.69.172.16] with 32 bytes of data:
>
> Reply from 212.69.172.16: bytes=32 time=97ms TTL=241
> Reply from 212.69.172.16: bytes=32 time=43ms TTL=241
> Reply from 212.69.172.16: bytes=32 time=27ms TTL=241
> Reply from 212.69.172.16: bytes=32 time=27ms TTL=241
>
> Ping statistics for 212.69.172.16:
> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
> Approximate round trip times in milli-seconds:
> Minimum = 27ms, Maximum = 97ms, Average = 48ms
>
>
> THERE:
>
> www.vmyths.com
> Name: vmyths.com
> Address: 216.217.111.18
> Aliases: www.vmyths.com
>
> let's see if this comes from some poisoning and so on...
>
>
> if we look the SOA records from a distant site, we get this:
>
> > set q=SOA
> > vmyths.com
> vmyths.com
> origin = dns9.register.com
> mail addr = root.register.com
> serial = 2000011705
> refresh = 10800 (3H)
> retry = 86400 (1D)
> expire = 604800 (1W)
> minimum ttl = 3600 (1H)
> vmyths.com nameserver = dns9.register.com
> vmyths.com nameserver = dns10.register.com
>
> whereas if we look at them from our point of view:
>
> > set q=SOA
> > vmyths.com
vmyths.com
> origin = ns3.domainname.at
> mail address = dnsmaster.ns3.domainname.at
> serial = 1009665720
> refresh = 1800 (30M)
> retry = 600 (10M)
> expire = 1800 (30M)
> minimum ttl = 1800 (30M)
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: GeekSpooky@aol.com: "Re: Trojans that use LDAP"
- Next in thread: David Ulevitch: "Re: FW: Hack - DNS cache poisoning resurfacing on MS DNS?"
- Reply: David Ulevitch: "Re: FW: Hack - DNS cache poisoning resurfacing on MS DNS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
