DNS bug

Filed Under error | 1 Comment

Dan Kaminski discovered flaw in foundations of internet – DNS servers. Even he kept silence about the details exploit was published on internet. So if you want to be safe visit his blog to check your DNS servers.

Without them everyone should maintain their own hosts name linking IP address and FQDN (fully qualified domain name such as “blog.hbcom.info” or “www.google.com”). For more information about DNS system check here.

There is a lot of discussions on internet. Just a sample of them:

http://addxorrol.blogspot.com

Recovered for Internet Archive Link: http://blogs.zdnet.com/security/?p=1546

(Thank you Rachel for the tip.)

http://rdist.root.org/2008/07/21/dns-novice-discovers-secret-flaw/

http://www.centos.org

and many more…

For me is unclear how this flaw affects the users behind caching only server. My understanding is that for cache to be poisoned it should accept the request first. So it could be done only from insiders. So majority of users are not affected. And the flaw affects more ISP’s and other similar setups.

Also we (users) should have more explanations since it seems that all patches only randomize the source port of the request. If this is the solution there is no need to apply patch just change the configuration to randomize he ports.

Note: This is serious flaw and nothing could guaranteed.

Today I was hit with a 0-day virus – ZBot/Backdoor.Paproxy or whatever antivirus companies call it.

It came as E-mail claiming to be from UPS (You guess now why UPS virus is in quotes) and was a zip file with executable inside. UPS_INVOICE_978172.zip to be exact, but there are several variants.

Usually the common is that they contain as subject line:”[RE] UPS Tracking Number” followed by random number.

Most of the e-mails were detected (as spam) by the antivirus scanner on mail gateway, but some reached end users.

To be honest this one was really good in attracting them (the users) to open it and some did….

This was no pleasant experience. Right away PC rebooted and trojan was installed.

Other problem was that there was only 2 companies who were able to detect it this morning (the number increased to 13 afternoon).

After updated virus definitions from Symantec were installed Backdoor was detected and removed.

Lesson learned: NEVER open executable from attachment.

Here you ca see if your antivirus is up to date with that particular virus.

Another  version…

UPDATE: There are new versions not recognized by Symantec yet. So follow above lesson.

Site blog.hbcom.info is upgraded to the latest version 2.6now.

After I rebooted manually my database server I received following message in mysql log:

[ERROR] /usr/libexec/mysqld: Incorrect key file for table <name of the table>.MYI’; try to repair it

The fix is relatively simple

  1. Go to MySQL console – mysql
  2. Point to correct database – use <database name>
  3. Issue command to repair – repair table <name of the table>
  4. Sit back and wait – it will take some time