[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SV: [cobalt-security] Re: approved AXFR
- Subject: SV: [cobalt-security] Re: approved AXFR
- From: "Kai r. s., euroweb as" <kai@xxxxxxxxxx>
- Date: Wed, 30 Jan 2002 07:26:31 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
>> > };
> >
>
>
> Hi,
>
> This function is also available in the Cobalt DNS GUI. From the DNS
> Settings form (on any domain), select Server Settings from the
> Add droplist.
> Simply enter the allowed IP addresses, one per line, in the Zone Transfer
> Access field. Make sure to not have a blank line at the bottom of the
> field.
I got hacked twice after AXFR transfers to IP I did not have on my allowed
list, Its about 8 months ago and security people at sun got my logs because
the only thing in the logs that was not normal behavor was that in the days
before where a lot of requests of AXFR transfers and the cobalt did deny
some and allowed more, to a lot of IP from eastern Europe and one IP in
Holland.
My settings where in the GUI correct, and the only IP`s that where allowed
were two name servers in my own network.
So how did it happen? A few month later I the answer from one that had
spotted that if you hit the enter key after last input in the cobalt GUI
(like many do) then the cobalt did put in a double character in the record
and that was the reason this hackers some how did get AXFR transfers. After
typing this inputs over again without line break at the end I have newer had
an AXFR allowed from IP not in my allow list.
How they use AXFR transfers to get access I don’t now? But the transfers
started a few days before the hackers gain access.
Kai R S
euroweb as
> dAvid tHacker
> Thacker Network Technologies Inc.
> Cobalt@xxxxxxxxxxxxxx
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>