Re: DNS Injection Problem

From: Blade Runner (blade_at_seven.com.br)
Date: 05/06/03

  • Next message: Christian Stigen Larsen: "Attack attempts from 195.86.128.45" 
    Date: Tue, 6 May 2003 10:48:50 -0300 (BRT)
To: incidents@securityfocus.com

    You were the first to mention it, I am studying the subject.

    One interesting thing to quote, and sorry about the ignorance, is:

    Is possible to restart the DNS server with such attack?
    The local where the .zone and named.inc ( dns conf file ) file are stored is
    protected with these permission "-rw-r--r--", only root can modify or
    add new files ( theorically ).

    I am fear that the attacker is getting root privileges somewhere else
    to do that.

    But maybe in my research about dns poisonig I can get the answer.

    I will isolate the server to run a sniffer and check the queries, if the
    problem is with DNS it will be easier to detect even for a newbie :-) .

    Thanks.

    > Have you thought about DNS cache poisoning?
    >
    > references:
    > http://www.securityfocus.com/guest/17905
    > http://www.sans.org/rr/firewall/DNS_spoof.php
    > http://csrc.nist.gov/fasp/FASPDocs/network-security/NISTSecuringDNS.htm
    > http://www.acmebw.com/resources/papers/securing.pdf
    >
    > Can you put a sniffer, e.g. ethereal on the link and see if anyone is
    > sending you the bad data in response to queries?
    >
    > cheers,
    > Jamie
    > --
    > James Riden / j.riden@massey.ac.nz / Systems Programmer - Security
    > Information Technology Services, Massey University, NZ.
    > Tel: +64 (0) 6356 9099 ext. 7402
    >
    > 

    -- 
Blade Runner - Squirrel Mail
Linux Powered
LICQ 40959703
----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------
  • Next message: Christian Stigen Larsen: "Attack attempts from 195.86.128.45"

    Relevant Pages

    • Re: interoperability of VPN checkpoint FW1 to ISA
      ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... Register today to ...
      (Focus-Microsoft)
    • RE: interoperability of VPN checkpoint FW1 to ISA
      ... However, CheckPoint has one little ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
      (Focus-Microsoft)
    • RE: interoperability of VPN checkpoint FW1 to ISA
      ... If you are not the intended recipient be aware that any ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
      (Focus-Microsoft)
    • RE: Log on the domain
      ... whether a given user account can be used from the "console" keyboard ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
      (Security-Basics)
    • Re: Zenworks
      ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
      (Security-Basics)
    • Quantcast