I have a similar problem - the Cache file was replaced with 3 entries ot 1
addres - free domain name registration and popup advertiser. Because I don't
support these gays, I cannot find reason's for this problem (no one can tell me
who was the last people, working on the server). I think that is result of
Trojan or Java applet, but it's not a hack (the computer was behind firewall,
and I support more than 15 NT servers, connected to internet - thew only
affected machine was this).

The problem was resolved by replacing cache file with correct cache file (you
can take it from your master DNS)

Success!!!

Alexandre Freire wrote:

> Hello all ;
>
> I have had a problem in one of the on the companies I'm providing
> consulting. Two of the servers are running WIndows NT 4.0 and someone has
> changed the contents of cache data. For a while (as the time we spent to
> discover the problem), the www was changed to another web site.
>
> Only the secondary DNS Server was affected. The Primary one was not changed.
> I was trying to discover what could be happened when I realized that threre
> is a vulnerability on the Microsoft DNS Servers that could led to Cache
> Corruption.
>
> I've found some documents that explains the vulnerability and all of them
> instructs the creation of the following registry key to avoid the attack ;
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
>
> Value Name: SecureResponses
> Data Type: REG_DWORD
> Value: 1 (To eliminate non-secure data)
>
> Are there any additional procedures I can do in order to avoid this kind of
> attack ? The Server is running SP6a and I've applied the Microsoft Network
> Security Hotfix Checker 3.2 in order to look for post-SP6a fixes I could
> apply to fix the DNS problem and It did not return any hotfix regarding this
> issue.
>
> Thanks for attention.
> Regards
>
> Alex.
>
> The following is a copy of the Incident Note published on CERT :
>
> CERT® Incident Note IN-2001-11
> Cache Corruption on Microsoft DNS Servers
>
> Systems Affected
> Microsoft Windows NT 4.0 and Windows 2000 systems running Microsoft DNS
> Server
>
> I - Overview
> The CERT/CC has received reports from sites experiencing cache corruption on
> systems running Microsoft DNS Server. The default configuration of this
> software allows data from malicious or incorrectly configured servers to be
> cached in the DNS server. This corruption can result in erronous DNS
> information later being returned to any clients which use this server.
>
> II. - Description
> In the default configuration, Microsoft DNS server will accept bogus glue
> records from non-delegated servers. These bogus records will be added to the
> cache when a client attempts to resolve a particular hostname served by a
> malicious or incorrectly configured DNS server. The client can be coerced to
> request such a hostname as a result of an otherwise non-malicious piece of
> HTML email (such as spam) or in banner advertisements on websites, to give
> some examples.
> Based on information contained in reports of this activity, there are sites
> actively engaged in this deceptive DNS resolution. These reports indicate
> that malicious DNS servers are providing bogus glue records for the generic
> top-level domain servers (gtld-servers.net) potentially resulting in
> erroneous results (e.g., failed resolution or redirection) for any DNS
> request.
>
> More information about the problem can be found at
> VU#109475 - Microsoft Windows NT and 2000 Domain Name Servers allow
> non-authoritative RRs to be cached by default
> http://www.kb.cert.org/vuls/id/109475
>
> Secure server cache against names pollution
> http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCacheP
> ollutedNames.htm
>
> How to Prevent DNS Cache Pollution (Q241352)
> http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP
> http://msdn.microsoft.com/library/en-us/regentry/46753.asp
>
> Alex Freire, GCFW - Modulo Security Solutions
> Rio de Janeiro - RJ - Brazil.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]