Incidents
DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 22 2008 12:55AM
ponchovaldes gmail com (4 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 24 2008 11:55AM
david bizeul (david bizeul gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 06:58PM
Jon R. Kibler (Jon Kibler aset com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 24 2008 04:05AM
dxp (dxp2532 gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 25 2008 12:31PM
Ronald van der Westen (rvdwesten gmail com) (2 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our firstcompetition Jan 25 2008 06:00PM
Cedric Blancher (blancher cartel-securite fr) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 04:59PM
Jeff Plewes (plewes gmail com) (4 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 29 2008 12:06AM
Eduardo Tongson (propolice gmail com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our firstcompetition Jan 28 2008 10:46PM
Graeme Fowler (G E Fowler lboro ac uk) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 11:57PM
Eduardo Tongson (propolice gmail com) (2 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 29 2008 06:59PM
Valdis Kletnieks vt edu (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 30 2008 12:22AM
Eduardo Tongson (propolice gmail com) (2 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 30 2008 06:15PM
Jason Stelzer (jason stelzer gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 31 2008 02:49AM
Eduardo Tongson (propolice gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 31 2008 04:54PM
Jamie Riden (jamie riden gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Feb 01 2008 12:07AM
Eduardo Tongson (propolice gmail com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our firstcompetition Jan 30 2008 05:50PM
Graeme Fowler (G E Fowler lboro ac uk)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our firstcompetition Jan 29 2008 08:39AM
Graeme Fowler (G E Fowler lboro ac uk) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 29 2008 04:25PM
Paul Schmehl (pauls utdallas edu)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 09:15PM
Gary Baribault (gary baribault net)
Do they all have the same root password? I have heard that some people
think it may be a root password compromise.

What else is there that is unique to this box?
I also heard that the exploit may be installed in some of the site code,
the entry point is elsewhere, but once infected, it installs the exploit
in source code for a site.

Gary B

Jeff Plewes wrote:
> Update,
>
> The problem box:
> - centos 5 base, updated via yum from default repository.
> - httpd 2.2.3-11.el5_1.centos.3 (2.2.8 backport?)
> - php 5.2.5 compiled from source
> - courier-authlib 0.60.2 compiled from source
> - courier-imap-4.3.0 compiled from source
> - exim 4.69 compiled from source
> - proftpd 1.3.1 compiled from source
>
> I have no control panel of any sort installed.
>
> The box was running RH9.. had the issue.. formatted and replaced with
> fresh install of centos 5... copied over customer vhosts..
>
> Gets hit again within days.
>
> ports open = 20,21,22,25,80,110,143,443 + pasv port range for ftp
>
> I have many other hosts in the datacenter with various configurations
> but all would have had the same apache, php, ssh, ssl versions as this
> box before at RH9. None of them have been hit.. none of them however,
> contain exim, courier, or proftpd
>
> Im starting to lean towards these packages as a possible entry-point
> for the trojan?
>
> And no its not ARP or DNS poisoning nor router or proxy problems.
>
> -Jeff
>
>
> On Jan 25, 2008 1:00 PM, Cedric Blancher <blancher (at) cartel-securite (dot) fr [email concealed]> wrote:
>
>> On ven, 2008-01-25 at 13:31 +0100, Ronald van der Westen wrote:
>>
>>> I don't think ARP cache poisoning is the problem here, unless client
>>> and server are in the same subnet.
>>>
>> Not necessarily.
>> Sitting on one of them subnet is way sufficient. More generally, you
>> need to be somewhere on the path between your two targets to perform a
>> traffic redirection. As routers and firewalls can be poisoned as any
>> other node and as they act as gateways, they are all the more
>> interesting targets.
>>
>>
>> --
>> http://sid.rstack.org/
>> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>>
>>>> Hi! I'm your friendly neighbourhood signature virus.
>>>> Copy me to your signature file and help me spread!
>>>>
>
>
>

[ reply ]
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 07:24PM
Paul Schmehl (pauls utdallas edu) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 08:17PM
Jeff Plewes (plewes gmail com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 23 2008 03:04AM
Jeff Plewes (plewes gmail com) (4 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 24 2008 02:53AM
Eduardo Tongson (propolice gmail com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 23 2008 10:11PM
Florian Weimer (fw deneb enyo de) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 24 2008 02:46AM
Jeff Plewes (plewes gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 24 2008 08:03AM
Mark Gottschalk (mgotts 2roads com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 23 2008 06:28PM
Gary Baribault (gary baribault net)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 23 2008 05:15PM
Stephen John Smoogen (smooge gmail com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 22 2008 05:03PM
Stephen John Smoogen (smooge gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus