Goin' Phishing

I've spend the past few days battling a cracker on our system, a nice change (in an intellectual capacity mind you) over the typical script kiddies I've had to clean up after.

We were first made aware of the issue with the following ticket:

XXXXXXXXXXXXX XXXXXX XXX…> Managed Security Service Provider…> on behalf of XXX XXXXX
Subject: Notification of redirection site using a wildcard in your DNS (Domain Name Service) (Phishing)
Dear Sirs,
The Urls http://XXXXXXXXXXXXXXXXXXX, with the only exception of http://XXXXXXXXXXXX, which is a website hosted at IP (Internet Protocol) address XXX.XXX.XXX.XXX, all redirect on a copy (phishing site) of XXXXXXXXX site, one of the banks of our group. It appears that your name server (DNS) is using a wildcard to redirect any Url in the form:
http://[something].XXXXXXXXXXXXXXXXX
to a phishing web site located at:
http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXX XXXXXX XXX, is assisting the group and its related entities in preventing or terminating any online activity that targets XXX XXXXXX clients for potential fraud. This activity violates XXX XXXXXX copyright, trademark and other intellectual property rights and may violate the criminal laws of the United States and other Nations.
E-mail messages have been broadly distributed to individuals by a person or entity pretending to be XXX XXXXX. These e-mails use XXX XXXXXX name and identity (including trademarks) without authorization.
The e-mails request recipients to verify and submit sensitive details related to their XXX XXXXX accounts. Within this message, there is a a hidden link that sends to a fraudulent web site displaying XXX XXXXXX copyrighted materials and trademarks.
The redirect mechanism shown above originates from a DNS server that is under your control. Its main purpose is to improperly obtain personal information of clients in order to illegally access their bank accounts.
The owners of these web sites typically perpetrate identity-theft related activities, such as using customers credit cards or bank accounts without authorization. Furthermore, since the vast majority of the e-mails are not sent to actual XXX XXXXX customers, these actions can damage the reputation and image of XXX XXXXX.
Please take all the necessary steps to immediately shut down the redirect web site, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this web site. We understand that you may not be aware of this improper use of your services and we appreciate your cooperation.
Thank you for your cooperation to prevent and terminate this fraudulent activity.
Sincerely,…> XXXXXXXXXXXXX XXXXXX XXX…> Managed Security Service Provider…> on behalf of XXX XXXXX…> Email XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I won't say our DNS system is unique in the way it's set up. We have one master DNS server for all our zones (domains). The zones from this machine are pushed out to four DNS slave servers, two in one domain, the other two in another domain (and for illustrative purposes, I'll use example.net and example.org for the domains we use to resolve DNS for our customers). The four machines are split between two data centers, with one machine from each domain in each data center. The master is never queried from the internet; all Internet queries for our zone information go to the four slaves, and zones are pretty much equally divided between the two domains.

I check the master DNS server, and the zone in question has no DNS wildcard record [1]. I then check the slave DNS servers, and well:

>
```
$ORIGIN .
$TTL 598 ; 9 minutes 58 seconds
XXXXXXXX IN SOA ns1.example.net. root.ns1.example.net. (
2008101001 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
598 ; minimum (9 minutes 58 seconds)
)
NS XXXXXXXXXXXXXXXXX.
NS XXXXXXXXXXXXXXXXX.
A 10.11.224.198
MX 30 XXXXXXXXXXXXX.
$ORIGIN XXXXXXXX.
mail A 10.11.224.198
old A 10.11.224.226
www A 10.11.224.198
* A 192.168.1.15
```

(IP addresses have been changed to private IP addresses for illustrative purposes.)

The 10.11.224.x addresses are ours, but that 192.168.1.15 isn't. I know there have been some recent attacks against DNS and I assumed that the cracker in question may have exploited DNS to add the record. I upgraded all our DNS servers to the lastest version of bind [2], fixed the zone and called it a day. The only services on the slave DNS servers is DNS and SSH, so those are the only two things that could be compromised.

The next day, a reply to the ticket:

We are sorry to inform you that the redirect we described in the ticket is still working.
We kindly ask you to take action as quickly as possible to terminate it.
Thank you,
...

The zone on the master wasn't modified; it was modified on the slaves. I poke around some more, and notice that the updates for the compromised zone are being rejected by the slaves. It turns out the cracker had protected that zone using the Linux command chattr [3] to protect the file from changes. And that can only happen at the command line.

XXXX!

I never liked the “Nuke and Pave” approach to security issues, since without knowledge about how they got in, how do I know I fixed the exploit? And given that the cracker had only modified this one file meant the attack was narrowly focused on propping up a phishing site. So I changed the extended attributes on the file to allow updates, made sure the zone data was fixed, and went about my business trying to figure out how they got in.

Next day, the wildcard DNS record was back, but changes on the master (and the master was never compromised, only the slave DNS servers serving up this domain) again weren't showing up on the slaves. The extended attributes on the file on the slaves where normal, but then I noticed the attributes on the directory! They were modified, and the chattr program (along with grep) were deleted from the machine.

Nice.

I never did figure out how they got in, and it appeared they were persistent enough to keep coming back (which was odd—I would think that they would realize the jig was up and move on; also odd was the zone they picked—one of the more popular websites we host (lots of pictures of bikini-clad models). So it was clear the only answer was to “Nuke and Pave,” but until I got a chance to do that, I needed to do something on a box the cracker has root access to.

So, while bind couldn't modify the file, I could edit it directly. After about fifteen minutes of thinking, I came up with what I think was the perfect response—I didn't delete the wildcard DNS record, I modified it:

>
```
* IN A 127.0.0.1
```

Rationale: Obviously, each time I deleted the record, they came back to “fix” it. So they must have some sort of automated process to check, and getting rid of it triggered that process. Here, I haven't removed the record, just changed it to something useless for their purposes [4]. I was working on the assumption of their automated monitoring process to just check for the existance of the record and not the actual contents, so they wouldn't come back.

They didn't.

And in the meantime, I did the “Nuke and Pave” patch to security on the slaves. And not only did I update bind, but sshd and severely restricted who could log onto the DNS servers.

[1] http://en.wikipedia.org/wiki/Wildcard_DNS_record

[2] http://www.isc.org/products/BIND

[3] http://en.wikipedia.org/wiki/Chattr

[4] http://en.wikipedia.org/wiki/Localhost

Gemini Mention this post

Contact the author