[Emerging-Sigs] SIG - Idea and RFC for localhost.some.tld - Requests

waldo kitty wkitty42 at windstream.net
Tue Oct 12 15:16:46 EDT 2010


On 10/12/2010 08:44, Mex wrote:
>
> lately, using dnsmap to enumerate some client-systems i came across
> an interesting vuln from one local hosting-provider; beside servers
> they also provide dns-administration and access to dns-records
> and if you create a new zonefile for a domain they add an entry for
>
> localhost    IN A 127.0.0.1
>
> that validates localhost.somedomain.tld to 127.0.0.1
>
> this behavior might lead to nice little attacks, especially
> on multiuser/terminalserver - systems, according to [1]

i've seen returns like this for several years... back before i learned to never 
trust domain names in log files, i used to see "localhost" quite often in my 
server logs... of course it always set me up and got me hunting for problems on 
my servers until i realized that it was being returned from the IP's domain 
lookup... it didn't take long for me to turn off logging of domain names in my 
logs and only log IPs... since then, i've had hundreds, over time, that a domain 
name lookup on the IP returned "localhost" with no other domain elements...

i've always attributed this to the skiddies having control over their dns 
servers for the IPs in question and that they have been doing this specifically 
as a way to hide from those who do like i used to do and log the domain names 
instead of the IPs...

i just went hunting for an example that i saw in my stuff the other day but it 
has already elapsed from the blocking list... i was going to ask if what i was 
seeing is what you are referring to... i guess i'll have to wait for another one 
to come by and alert me ;)


More information about the Emerging-sigs mailing list