Re: DNS attack

---

• From: The French Doctor <caius@xxxxxxxxxxxxxxxxx>
• Date: Fri, 09 Feb 2007 14:22:13 GMT

---

On 2007-02-09, left_coast <void@xxxxxxxx> wrote:

The French Doctor wrote:

Just heard about the DNS attack. Anyone know how I
can tell if my server was involved (victim or zombified)?

Anything special to look for in my logs?

You mean the DDOS attacks?

http://www.darkreading.com/document.asp?doc_id=116685&WT.svl=news1_3

The devices that were used in the attack were "zombified computers". What
that means is that they were hacked in someway. What you would look for is
evidence that someone has broken though your security and taken control of
your system to some extent. Of course, figuring out if your system has been
compromised is the $64,000 question. Whole books are written on the
subject... Needless to say, just looking in the logs will not necessarily
tell you if you have been hacked. I would suggest starting with
`chkrootkit` to see if a rootkit was installed (preferably from a rescue CD
or from a live CD that contains chkrootkit). Unfortunately, it is not clear
that gaining root and/or installing a rootkit is actually required for the
system to be used as part of the attacks. Since chkrootkit only detects if
a rootkit is installed, not if there has been a successful hack of your
system... To detect intrusions can be very difficult and will require that
you do some research. A starting point:

http://safari.oreilly.com/0596002173/bssrvrlnx-CHP-11

I'm pretty familiar with IDS and rootkits. I guess I was looking for
more specific clues in the DNS server. Could there be information in the
cache? Are there any cache viewing or "DNS examining" software out there?
If there was, what might I look for?

.

---

• Follow-Ups:
  • Re: DNS attack
    • From: left_coast

• References:
  • DNS attack
    • From: The French Doctor
  • Re: DNS attack
    • From: left_coast

• Prev by Date: Re: MI-4n6 Live Forensic CD
• Next by Date: Re: DNS attack
• Previous by thread: Re: DNS attack
• Next by thread: Re: DNS attack
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: [opensuse] *Help* Am I under some kind of attack?? ... normally make a heavy impact on network or server load.. ... This may be because the way my DNS setup is configured, ... effectively a DoS attack, but for this effect to be experienced either ... The first dns error message ... (SuSE) Re: bind9 crash ... One thought - check if the DNS server supports TCP based DNS in ... packets than UDP attacks. ... I'm trying to knock down a bind9 server and so far have been unsuccessful. ... it easier to knock down with a small ddos attack but so far its only taking ... (Pen-Test) [Full-disclosure] DNS Multiple Race Exploiting Tool ... DNS Multiple Race Exploiting Tool exploits an inherent bug in the ... The exploitation happens by querying a DNS server, ... Every query will generate another query from the DNS ... This attack was discovered and announced by Dan Kaminsky of Doxpara ... (Full-Disclosure) DNS Multiple Race Exploiting Tool ... DNS Multiple Race Exploiting Tool exploits an inherent bug in the ... The exploitation happens by querying a DNS server, ... Every query will generate another query from the DNS ... This attack was discovered and announced by Dan Kaminsky of Doxpara ... (Bugtraq) DNS Multiple Race Exploiting Tool ... DNS Multiple Race Exploiting Tool exploits an inherent bug in the ... The exploitation happens by querying a DNS server, ... Every query will generate another query from the DNS ... This attack was discovered and announced by Dan Kaminsky of Doxpara ... (Pen-Test)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2007-02