Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
AW: AW: [suse-security] dns hijack attack
  • From: "Philipp Snizek" <mailinglists@xxxxxxxxx>
  • Date: Tue, 6 Feb 2001 08:15:40 +0100
  • Message-id: <000c01c0900c$9cc11240$b400000a@xxxxxxxxxxxxxxx>
Hi Boris,

Thanks for your answer. I read it with pleasure.

> Eerm... 212.114.64.130 is our permanent line to the internet,
> which is provided
> by OSN, Online Service Nuernberg. Your ipchains log entries
> show that, from our
> permanent line, a DNS lookup has been initiated but could not be
> completed due to your packet screening configuration.

Which is ok the way it is. That means I won't change it.

> The time of these log entries is 18:47 (CET I suppose) is
> very interesting. At
> this time the newly arrived suse-security postings arrived
> and have been polled
> by our internal mail server. Your domain belfin.ch has been
> looked up and this
> lookup lead to the ipchains log entries you mentioned.

Don't worry because of time. This box is not yet ntp synchronised, I 've got
a time error.

> The log entries have been created because our internal name
> server (which
> connects to the internet via 212.114.64.130) tried to do a
> lookup with a source
> port below 1024, and I think you have an ipchains-rule like this:
>
> ipchains -A input -i eth1 -p udp -s 0.0.0.0/0.0.0.0 1024:65535 -d
> your.dns.ip.address 53 -j ACCEPT

Ok. That's right.

> If so, the log entries have been caused due to your
> restriction of the source
> ports.

exactly.

> Our internal name server used

and still uses

> ports below 1024 and
> therefore got
> rejected.

> I am very sorry if these events worried you, but I assure you
> that there's no
> black hat behind it, it's just some kind of
> "misunderstanding" between our
> internal and your external bind...! :-)

Happy to hear that.

> If you still feel uncomfortable I can provide you with some
> log files to show
> you the whole story.

I'd like to. Just for learning purposes.

> Again, we in Landwehr & Partner do apologise for this inconvenience.

No Problem.


Philipp



< Previous Next >
This Thread
  • No further messages