Hi list, I am facing a serious problem here. My client works as an ISP and somebody is injecting parameters in their DNS tables/files. Eventually dial-up costumers are accessing faked home pages ( usually banks ). These attacks were reported to the FPD ( Federal Police Dep ), but they didn't find anything yet. I am looking for a vulnerability in my server but it is a hard thing to do. Maybe you, security masters, can help me with this. This is the server configuration. OS: Slackware 8.1 kernel 2.4.20 DNS Server: bind 9.2.2 # I am focusing my attention here, looking for bugs. Web Server: apache 1.3.27 + php-4.3.1 + SquirrelMail 1.4.0 Courier-Imap 1.7.1 Qmail 1.03 Proftpd 1.2.8 # no root or anonymous connections Here it goes a scanner showing my open ports. Port State Service 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 113/tcp open auth 143/tcp open imap2 In this server we do not allow telnet/rsh or any shell connection. Since I am a newbie, I would appreciate some advices and tips. Thanks a lot and sorry about my poor English -- Blade Runner - Squirrel Mail Linux Powered LICQ 40959703 ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon May 05 2003 - 17:07:34 PDT