You were the first to mention it, I am studying the subject. One interesting thing to quote, and sorry about the ignorance, is: Is possible to restart the DNS server with such attack? The local where the .zone and named.inc ( dns conf file ) file are stored is protected with these permission "-rw-r--r--", only root can modify or add new files ( theorically ). I am fear that the attacker is getting root privileges somewhere else to do that. But maybe in my research about dns poisonig I can get the answer. I will isolate the server to run a sniffer and check the queries, if the problem is with DNS it will be easier to detect even for a newbie :-) . Thanks. > Have you thought about DNS cache poisoning? > > references: > http://www.securityfocus.com/guest/17905 > http://www.sans.org/rr/firewall/DNS_spoof.php > http://csrc.nist.gov/fasp/FASPDocs/network-security/NISTSecuringDNS.htm > http://www.acmebw.com/resources/papers/securing.pdf > > Can you put a sniffer, e.g. ethereal on the link and see if anyone is > sending you the bad data in response to queries? > > cheers, > Jamie > -- > James Riden / j.ridenat_private / Systems Programmer - Security > Information Technology Services, Massey University, NZ. > Tel: +64 (0) 6356 9099 ext. 7402 > > -- Blade Runner - Squirrel Mail Linux Powered LICQ 40959703 ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue May 06 2003 - 10:51:49 PDT