DNS Flaw and Jaguar

[kornmonkie]

I'm wondering if JaguarPC has been keeping track of this? Has there already been a thread? I hate to spread this kind of stuff (fear based internet stuff), but I've been hearing a lot about this lately.

----------------------------------------------------------------

One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon.

Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. "It's not that hard," he said. "You're not looking at a DNA-cracking effort."

http://www.pcworld.com/businesscente...mm inent.html

[Pawel Kowalski]

I would need to see more details but the article claims this is a cache poisoning attack which really is nothing new, this is probably just a new way of going about it. This type of attack doesn't affect your hosting/web servers, it's an issue at the local ISP level or on an intranet.

So there isn't really anything JagPc could do in this case, it will be up to each individual ISP or network administrator to make sure everything is patched and properly protected.

[jason]

Like THW said, it is a cache poisoning attack, so the effect on JPC's DNS servers would be minimal. There are basically two kinds of DNS servers--the ones that hold information about specific domains (authoritative servers) and the ones that ISPs host and our computers connect to when we want to connect to a domain somewhere else (non-authoritative servers).

When someone requests a look up via a non-authoritative DNS server for the first time that server will,through a series of steps, find the authoritative DNS server for that domain and retrieve information about the requested domain from it. Since it is "expensive" (i.e. time consuming) to do this, the non-authoritative server will cache that data for a period of time so that future requests can be connected faster.

In a cache poisoning attack, the attacker attempts to change the data stored in the non-authoritative server's cache, remapping the real IP addresses for sites with ones of the attacker's choosing. So, for example, the attacker could attempt to redirect all traffic to a banking site coming from a particular ISP to his own phishing site. The danger here is that the end user will still see the correct address for the bank in his browser, even though he is directed to an incorrect IP.

Since JPC's DNS servers don't serve as non-authoritative servers for most of us (they may do this for server-to-server routing of email, web services, etc. and for the staff at JPC's offices but not directly for clients) there is little risk to us on JPC's site of things. The risk really lies with our ISPs or with personal DNS servers if anyone is running them on their home networks.

--Jason

[btimms]

Great explanation Jason!

[vinceall]

I wonder if this is why my domain is now pointing to a maternity dress web site.

[jason]

Probably not. In your case it is probably either a case of someone assigning your site to the same IP as the dress shop in the DNS or a bad Apache config. If you haven't already, open a support ticket. It should be easy for support to fix.

--Jason

[vinceall]

Thanks. I did open a ticket and the problem looks to be resolved. I posted a screenshot of the hijacking site below. It's a typical squatters site that I've seen before which makes me suspicious.

http://www.vinceallen.com/hackedsite.jpg

[Pawel Kowalski]

It's a good idea to go through a proxy to see if this is a problem on your end or if it's a global issue. A good site is http://www.atunnel.com . If they show the correct web site and you show the wrong one there is a DNS attack somewhere on your end. If atunnel also shows the wrong web site then the issue is with the way your web server is configured.

[jason]

Is this a new domain? That page may be the default page that your registrar points your site at when you register it. It may have been that your DNS settings hadn't propagated to JPC's servers yet.

Whatever the issue, it seems to be resolved now. Good luck with the site.

--Jason

[vinceall]

This is not a new domain...it's now happening again. I followed Pawel's advice and went to the site using atunnel and can see the site correctly. However, if I try going there directly, I get the default page. So it's looking like a DNS attack?

[Ron]

First off, what DNS server are you using for your PC?

2nd find out where your DNS is pointing you by:
1) Click on "Start -> Run"
2) Type "cmd" (no quotes)
3) Press Enter
4) Type "ping <your domain>"
5) Press Enter
Record the IP address, comapre with your real IP address

Check your domain via your browser again.
Still showing wrong stuff?

3rd try flushing your own DNS by
1) Close all your browser windows and email clients.
2) Click on "Start -> Run..."
3) Type "ipconfig /flushdns " (no quotes)
4) Press Enter.

Check again.

Try accessing your domain via IP address directly

Try loggiing into your domain via SSH

type "dig <yourdomain>" (no quotes)
note IP addy in the response

If you've done all this stuff (and/or more) already, let us know what you've done so we don't waste time typing.

[Pawel Kowalski]

This is not a new domain...it's now happening again. I followed Pawel's advice and went to the site using atunnel and can see the site correctly. However, if I try going there directly, I get the default page. So it's looking like a DNS attack?

Sounds like there is an attack on your network somewhere. What does your network layout look like (servers, routers, ISP, etc)?

Go you your command prompt and type nslookup <domain> , paste the results here.

Ron, to be honest with you I would avoid logging in to SSH, if his dns is under attack there is a very good chance that there is also a man in the middle attack going on meaning anyone could steal the ssh password if his certificate isn't configured properly (chances are it isn't). In fact I would get on a computer on an outside network and change your web site and client area passwords right away.

When you go to a secure web site, such as https://www.bankofamerica.com/index.jsp does a certificate error come up?

[Ron]

Good point. However:
1) If he had logged into SSH before, shouldn't he would get a warning from SSH about changed registry keys?
2) If he had NOT logged into SSH before, shouldn't he would get a warning from SSH about non-existant registry keys?

With either warning he shouldn't continue.
#1 would be a good indication of a man in the middle issue.

I think it's likely his registrar had an issue in delivering up DNS info or his ISP had an issue. I'd be interested in seeing the SOURCE CODE for the "hacked page".

[Pawel Kowalski]

I forgot that SSH caches the keys. I was thinking SSH used a trusted root certificate without caching. Would be nice if windows did that on some of their stuff.

Like you said and most people ignore that warning or the key could have been cached after the attack started. I know I'm jumping to a lot of conclusions but I'm really paranoid about this type of thing.

He uses network solutions for the registar. I know that they have done some sneaky things but I don't think they ever fetch ads to their clients, do they? The page looks extremely sketchy to be showing up in your DNS records.

[Ron]

I have seen a million of those pages; they are parked pages and likely using AdSense for domains or some such.

His DNS was changed 2 days ago at the registrar and who knows if he has made changes to his DNS zone. Perhaps someone hacked his registrar's site and then put it back? Unlikely...

Anyway it looks like all is fine now, except Vince is missing.