Hello there,
As you may have noticed, Zeeblo and all of the sites hosted on the server were inaccessible and redirected to the website tbh.jp which is the website of the culprit responsible for the attack. I'm lucky that i just so happened to visit Zeeblo when i noticed that there was definitely something wrong and I immediately investigated into the issue until I found that we were supposedly under a DNS cache poisoning attack. After a few minutes, I found that there was a problem with multiple connections to the server's FTP port from an IP which we have now blocked from all of our servers. Hopefully, in future, we will not have any attacks to this extent knuppel2
For those of you who aren't familiar with DNS cache poisoning attacks, heres some more info:
########################################################################
## What exactly is DNS cache poisoning?
########################################################################
Basically, it is method for an attacker to change the IP address that a
hostname resolves to. For instance the hostname
www.cisco.com points to
the IP address 198.133.219.25. A DNS cache poisoning attack allows an
attacker to change the IP address for a host/domain and point it to a
different IP address.
If the above paragraph didn't make any sense, then take a step back and
understand that DNS (Domain Name System) is the method by which you can
resolve a human name like
www.google.com into an IP address. An IP
address is a computer's unique location on the Internet. For a very
good explanation of how the global DNS system works, refer to this
article:
http://computer.howstuffworks.com/dns.htm/printable
Second, you must understand that most end-users on the Internet use a
DNS server that is close to them (at their ISP or within their
organization's firewalls) to lookup names for them. For performance
reasons, these DNS servers cache the returned data so that it takes less
time to respond to the next client. If there is a vulnerability or
misconfiguration in the software on these DNS servers, then the cache
poisoning attack is possible. When a victim DNS cache is poisoned, the
attacker will be affecting ALL future lookups of any domain name he
chooses for ALL users of that DNS server. Large ISPs may have thousands
of users referencing a single DNS resolver. So an attack against a
resolver could affect thousands of users, without those users having
done anything wrong.
Here is how the attack works. First, there needs to be a trigger that
forces the victim site's DNS server to query the evil DNS server. There
are several ways to accomplish this. A couple of easy methods are
e-mail to a non-existant user (which will generate an NDR to the source
domain), spam e-mail with an external image, banner ads served from
another site, or perhaps triggering it from a bot network or installed
base of spyware.
Once the trigger executes, the victim's site DNS server queries the evil
DNS server. The attacker includes extra information in the DNS reply
packet. In both attacks, the reply packets contained root entries for
the entire .COM domain. If your DNS server is not configured properly,
then it will accept the new entries for .COM and delete the proper
entries for the Verisign servers (who runs the .COM domain). Once this
has occurred, any future queries that your DNS server makes for .COM
addresses will go to the malicious DNS server. The server can give you
any address it wants. In this attack, any hostname that you request is
returned with a couple of IP addresses that are running a webserver and
attempting to exploit client-side bugs in Internet Explorer to install
spyware.
It is important to note that this attack could be used to hijack other
domain roots besides .COM, like .NET, .ORG, or the country TLDs like .CA
or .DE. The attacker could hijack all of them. A smart attacker would
potentially just hijack specific hostnames and then return the correct
information for all other queries. This type of attack would not be as
noticeable and could potentially be very dangerous.
SOURCE:
http://isc.sans.org/presentations/dnspoisoning.php
I'm glad to let you guys know that we have everything under control and the problem has been fixed. If you continue to experience any problems, please do let me know.
We're very sorry for the inconvenience caused by this attack but we assure you that this sort of attack will not happen again on our servers and if it just so happens that it does, we will always be there to get it fixed in time
Yours sincerely,
Zeeblo Staff