RE: Hackers get hold of critical Internet flaw
At least one attack has already taken place and probably more we do not know about. This attack is very easy to perform. My team just did a penetration test of a financial company today in which this DNS vulnerability was used to hijack all Java update server requests to backdoor every Windows system on the company's network that used Sun Java. Example ATT DNS Servers hit http://www.securityfocus.com/news/11529 Definitely not the end of the Internet, but a lot of people are going to get run over with this one, especially the ones debating it rather than patching. Signed, Marc Maiffret www.inveniosecurity.com -Original Message- From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin Sent: Friday, July 25, 2008 4:17 AM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw It's just FUD people. An article that warns about an imminent hack attack. Come on. Where are the details. It's the end of the interwebs as we know them I suppose.. S From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:10 AM To: NT System Admin Issues Subject: Hackers get hold of critical Internet flaw Umm... Crap. http://www.breitbart.com/article.php?id=080724230931.2rdnlz0ashow_arti cle=1 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
OT: Re: Hackers get hold of critical Internet flaw
Matti, Was this a misprint in the article? Did they mean to say Haack-ers obtained the exploit :O) Cool domain name by the way. Klint Matti Haack wrote: The article is useless. Patch where? Who should be patching? Everyone with a (BIND) Nameserver: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt But yes, the article could be al ittle more detailed :) Matti -- Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036 Passau +49 851 50477-22 Fax: +49 851 50477-29 http://www.haack-it.de Registergericht Passau HRB 5678 USt. ID: DE195625715 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Re: Hackers get hold of critical Internet flaw
You're crazy if you think this is FUD. On Fri, Jul 25, 2008 at 7:16 AM, NTSysAdmin [EMAIL PROTECTED] wrote: It's just FUD people. An article that warns about an imminent hack attack. Come on. Where are the details. It's the end of the interwebs as we know them I supposeā¦. S From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:10 AM To: NT System Admin Issues Subject: Hackers get hold of critical Internet flaw Umm... Crap. http://www.breitbart.com/article.php?id=080724230931.2rdnlz0ashow_article=1 -- ME2 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Hackers get hold of critical Internet flaw
Just about every DNS server is vulnerable. See: http://isc.sans.org/diary.html?nstoryid=4777 http://www.us-cert.gov/cas/techalerts/TA08-190B.html and also Dan Kaminsky's blog Cheers Ken From: Vue, Za [mailto:[EMAIL PROTECTED] Sent: Friday, 25 July 2008 11:07 PM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw The article is useless. Patch where? Who should be patching? From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 8:36 AM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw It's not entirely FUD I doubt we will see the end of the internet, but it is the type of attack that can be widespread/automated. If the bad guys decide to embark on a widespread DNS cache poisoning attack, then lots of end users will have issues. SOHO NAT/router type devices, ISP DNS servers etc can all be easily poisoned. Even corporate DNS servers can be poisoned (you get a user to visit a malicious website - your DNS server looks up the nameserver for the malicious website - now the malicious website has your DNS server's IP address, and poisons its cache). The metasploit framework already has two attacks available, so it's only a short matter of time before widespread attacks start. That's not to say it's the end of the world - there are plenty of patches available - so start patching! Cheers Ken From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin Sent: Friday, 25 July 2008 9:17 PM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw It's just FUD people. An article that warns about an imminent hack attack. Come on. Where are the details. It's the end of the interwebs as we know them I suppose S From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:10 AM To: NT System Admin Issues Subject: Hackers get hold of critical Internet flaw Umm... Crap. http://www.breitbart.com/article.php?id=080724230931.2rdnlz0ashow_article=1 This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Re: Hackers get hold of critical Internet flaw
Yes, holy crap at that! Jon On Fri, Jul 25, 2008 at 12:10 AM, Sam Cayze [EMAIL PROTECTED] wrote: Umm... Crap. http://www.breitbart.com/article.php?id=080724230931.2rdnlz0ashow_article=1 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Hackers get hold of critical Internet flaw
It's just FUD people. An article that warns about an imminent hack attack. Come on. Where are the details. It's the end of the interwebs as we know them I suppose S From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:10 AM To: NT System Admin Issues Subject: Hackers get hold of critical Internet flaw Umm... Crap. http://www.breitbart.com/article.php?id=080724230931.2rdnlz0ashow_article=1 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Re: Hackers get hold of critical Internet flaw
Maybe not the end but another or Sasser et.al. that Admins were slow to patch for? Jon On Fri, Jul 25, 2008 at 7:16 AM, NTSysAdmin [EMAIL PROTECTED] wrote: It's just FUD people. An article that warns about an imminent hack attack. Come on. Where are the details. It's the end of the interwebs as we know them I supposeā¦. S *From:* Sam Cayze [mailto:[EMAIL PROTECTED] *Sent:* Friday, July 25, 2008 1:10 AM *To:* NT System Admin Issues *Subject:* Hackers get hold of critical Internet flaw Umm... Crap. http://www.breitbart.com/article.php?id=080724230931.2rdnlz0ashow_article=1 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Hackers get hold of critical Internet flaw
It's not entirely FUD I doubt we will see the end of the internet, but it is the type of attack that can be widespread/automated. If the bad guys decide to embark on a widespread DNS cache poisoning attack, then lots of end users will have issues. SOHO NAT/router type devices, ISP DNS servers etc can all be easily poisoned. Even corporate DNS servers can be poisoned (you get a user to visit a malicious website - your DNS server looks up the nameserver for the malicious website - now the malicious website has your DNS server's IP address, and poisons its cache). The metasploit framework already has two attacks available, so it's only a short matter of time before widespread attacks start. That's not to say it's the end of the world - there are plenty of patches available - so start patching! Cheers Ken From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin Sent: Friday, 25 July 2008 9:17 PM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw It's just FUD people. An article that warns about an imminent hack attack. Come on. Where are the details. It's the end of the interwebs as we know them I suppose S From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:10 AM To: NT System Admin Issues Subject: Hackers get hold of critical Internet flaw Umm... Crap. http://www.breitbart.com/article.php?id=080724230931.2rdnlz0ashow_article=1 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Hackers get hold of critical Internet flaw
And test the DNS server you're using just to be sure - you may be surprised. http://www.doxpara.com/ Carl From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 8:36 AM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw It's not entirely FUD I doubt we will see the end of the internet, but it is the type of attack that can be widespread/automated. If the bad guys decide to embark on a widespread DNS cache poisoning attack, then lots of end users will have issues. SOHO NAT/router type devices, ISP DNS servers etc can all be easily poisoned. Even corporate DNS servers can be poisoned (you get a user to visit a malicious website - your DNS server looks up the nameserver for the malicious website - now the malicious website has your DNS server's IP address, and poisons its cache). The metasploit framework already has two attacks available, so it's only a short matter of time before widespread attacks start. That's not to say it's the end of the world - there are plenty of patches available - so start patching! Cheers Ken From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin Sent: Friday, 25 July 2008 9:17 PM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw It's just FUD people. An article that warns about an imminent hack attack. Come on. Where are the details. It's the end of the interwebs as we know them I suppose.. S From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:10 AM To: NT System Admin Issues Subject: Hackers get hold of critical Internet flaw Umm... Crap. http://www.breitbart.com/article.php?id=080724230931.2rdnlz0a http://www.breitbart.com/article.php?id=080724230931.2rdnlz0ashow_article= 1 show_article=1 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Hackers get hold of critical Internet flaw
Wasn't there another test floating around too? doxpara tells me I am safe (I think), but another one I ran a few days ago told me I was not. (Can't remember link...) So... what is the obvious pattern I should look for?!?! Your name server, at 216.183.114.118, appears to be safe, but make sure the ports listed below aren't following an obvious pattern. Requests seen for 1253a476ef51.toorrr.com: 216.183.114.118:26781 TXID=11952 216.183.114.118:15053 TXID=26171 216.183.114.118:31440 TXID=34231 216.183.114.118:15786 TXID=37658 216.183.114.118:24167 TXID=21255 From: Carl Houseman [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 9:51 AM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw And test the DNS server you're using just to be sure - you may be surprised. http://www.doxpara.com/ Carl From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 8:36 AM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw It's not entirely FUD I doubt we will see the end of the internet, but it is the type of attack that can be widespread/automated. If the bad guys decide to embark on a widespread DNS cache poisoning attack, then lots of end users will have issues. SOHO NAT/router type devices, ISP DNS servers etc can all be easily poisoned. Even corporate DNS servers can be poisoned (you get a user to visit a malicious website - your DNS server looks up the nameserver for the malicious website - now the malicious website has your DNS server's IP address, and poisons its cache). The metasploit framework already has two attacks available, so it's only a short matter of time before widespread attacks start. That's not to say it's the end of the world - there are plenty of patches available - so start patching! Cheers Ken From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin Sent: Friday, 25 July 2008 9:17 PM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw It's just FUD people. An article that warns about an imminent hack attack. Come on. Where are the details. It's the end of the interwebs as we know them I suppose S From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:10 AM To: NT System Admin Issues Subject: Hackers get hold of critical Internet flaw Umm... Crap. http://www.breitbart.com/article.php?id=080724230931.2rdnlz0ashow_artic le=1 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Hackers get hold of critical Internet flaw
There's an nslookup and a dig method with a DNS server that returns a TXT record giving the standard deviation, but I found those to not return anything quite often. BTW the SOHO router/NAT issue has me wondering, did the MS patches for this fix RRAS to properly randomize DNS requests that are being NAT translated? Carl From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 10:57 AM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw Wasn't there another test floating around too? doxpara tells me I am safe (I think), but another one I ran a few days ago told me I was not. (Can't remember link...) So... what is the obvious pattern I should look for?!?! Your name server, at 216.183.114.118, appears to be safe, but make sure the ports listed below aren't following an obvious pattern. _ Requests seen for 1253a476ef51.toorrr.com: 216.183.114.118:26781 TXID=11952 216.183.114.118:15053 TXID=26171 216.183.114.118:31440 TXID=34231 216.183.114.118:15786 TXID=37658 216.183.114.118:24167 TXID=21255 _ From: Carl Houseman [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 9:51 AM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw And test the DNS server you're using just to be sure - you may be surprised. http://www.doxpara.com/ Carl From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 8:36 AM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw It's not entirely FUD I doubt we will see the end of the internet, but it is the type of attack that can be widespread/automated. If the bad guys decide to embark on a widespread DNS cache poisoning attack, then lots of end users will have issues. SOHO NAT/router type devices, ISP DNS servers etc can all be easily poisoned. Even corporate DNS servers can be poisoned (you get a user to visit a malicious website - your DNS server looks up the nameserver for the malicious website - now the malicious website has your DNS server's IP address, and poisons its cache). The metasploit framework already has two attacks available, so it's only a short matter of time before widespread attacks start. That's not to say it's the end of the world - there are plenty of patches available - so start patching! Cheers Ken From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin Sent: Friday, 25 July 2008 9:17 PM To: NT System Admin Issues Subject: RE: Hackers get hold of critical Internet flaw It's just FUD people. An article that warns about an imminent hack attack. Come on. Where are the details. It's the end of the interwebs as we know them I suppose.. S From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:10 AM To: NT System Admin Issues Subject: Hackers get hold of critical Internet flaw Umm... Crap. http://www.breitbart.com/article.php?id=080724230931.2rdnlz0a http://www.breitbart.com/article.php?id=080724230931.2rdnlz0ashow_article= 1 show_article=1 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~