You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Brian Behlendorf <br...@hyperreal.org> on 1998/03/19 06:09:29 UTC

www.apache.org DNS poisoning

Context: he wrote me asking why he was getting 403's when accessing the
site.  I looked through the logs and found only valid hits; he looked and
saw his DNS server were being poisoned through a hole fixed by current
versions of bind.  Good thing we sign our code distributions; though
there's even easier ways to corrupt the distributions if you're an official
apache mirror.  Anyways, just so's ya know.  Maybe we should reiterate the
use of checking the keys when downloading the distribution; we should
probably also start signing our binary distributions.

Or start using SSL only for distribution :)

	Brian

>Delivered-To: brian@hyperreal.org
>Date: Wed, 18 Mar 1998 23:58:44 -0500 (EST)
>From: "Justin M. Streiner" <st...@sgi.net>
>X-Sender: streiner@lurch.bv.sgi.net
>Reply-To: streiner@cluebyfour.org
>To: Brian Behlendorf <br...@hyperreal.org>
>Subject: Re: access to www.apache.org blocked?
>
>On Wed, 18 Mar 1998, Brian Behlendorf wrote:
>
>> All through Lynx, all status 200; no 403's.  Were you going through a proxy
>> server of some sort?
>
>No, sir.  However I think I've traced the problem to a DNS server which
>was still vulnerable to the cache-poisoning exploit (ISC-BIND 4.9.5).  A
>little digging showed that www.apache.org was redirected to 200.33.54.2,
>which identifies itself as xiomara.apache.org.mx and xiomara.msg.com.mx.
>HTTP connections to the document root of that machine return a 403.  I
>mistakenly assumed the real www.apache.org was returning a 403.  I've seen
>similar incidents before where high-traffic websites such as
>www.netscape.com were redirected to some site in Mexico.
>
>The affected DNS servers should be patched within the next day or so.
>Sorry to have bothered you without checking all of the facts beforehand.
>
>jms
>_j_m_streiner_______________________________________________________________
>sysadmin, News Thug, Net Lackey, Resident BOFH  -  Stargate Industries, LLC.
>                       mail: streiner at sgi dot net
>  -- High-volume newsfeeds and news solutions for corporations and ISPs --
>               mail "streiner-getkey@noc.sgi.net" for PGP Key
>            Stomp out Internet Spam!  http://spam.abuse.net/spam
>
>
>
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Optimism is a strategy for making                         brian@apache.org
a better future." - Noam Chomsky                        brian@hyperreal.org

Re: www.apache.org DNS poisoning

Posted by Marc Slemko <ma...@worldgate.com>.

Grumble.

I would be more interested in tracking the source of it.  But, if he
restarted the DNS server the records will be gone.

On Wed, 18 Mar 1998, Brian Behlendorf wrote:

> 
> Context: he wrote me asking why he was getting 403's when accessing the
> site.  I looked through the logs and found only valid hits; he looked and
> saw his DNS server were being poisoned through a hole fixed by current
> versions of bind.  Good thing we sign our code distributions; though
> there's even easier ways to corrupt the distributions if you're an official
> apache mirror.  Anyways, just so's ya know.  Maybe we should reiterate the
> use of checking the keys when downloading the distribution; we should
> probably also start signing our binary distributions.
> 
> Or start using SSL only for distribution :)
> 
> 	Brian
> 
> >Delivered-To: brian@hyperreal.org
> >Date: Wed, 18 Mar 1998 23:58:44 -0500 (EST)
> >From: "Justin M. Streiner" <st...@sgi.net>
> >X-Sender: streiner@lurch.bv.sgi.net
> >Reply-To: streiner@cluebyfour.org
> >To: Brian Behlendorf <br...@hyperreal.org>
> >Subject: Re: access to www.apache.org blocked?
> >
> >On Wed, 18 Mar 1998, Brian Behlendorf wrote:
> >
> >> All through Lynx, all status 200; no 403's.  Were you going through a proxy
> >> server of some sort?
> >
> >No, sir.  However I think I've traced the problem to a DNS server which
> >was still vulnerable to the cache-poisoning exploit (ISC-BIND 4.9.5).  A
> >little digging showed that www.apache.org was redirected to 200.33.54.2,
> >which identifies itself as xiomara.apache.org.mx and xiomara.msg.com.mx.
> >HTTP connections to the document root of that machine return a 403.  I
> >mistakenly assumed the real www.apache.org was returning a 403.  I've seen
> >similar incidents before where high-traffic websites such as
> >www.netscape.com were redirected to some site in Mexico.
> >
> >The affected DNS servers should be patched within the next day or so.
> >Sorry to have bothered you without checking all of the facts beforehand.
> >
> >jms
> >_j_m_streiner_______________________________________________________________
> >sysadmin, News Thug, Net Lackey, Resident BOFH  -  Stargate Industries, LLC.
> >                       mail: streiner at sgi dot net
> >  -- High-volume newsfeeds and news solutions for corporations and ISPs --
> >               mail "streiner-getkey@noc.sgi.net" for PGP Key
> >            Stomp out Internet Spam!  http://spam.abuse.net/spam
> >
> >
> >
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> "Optimism is a strategy for making                         brian@apache.org
> a better future." - Noam Chomsky                        brian@hyperreal.org
>