Strange things happened today. It took a minute to get a handle on it but I'm under the impression that my DNS was hacked or possibly root servers. Now, without being specific about my site, here are the details as I am still finding them out.

1) Some of my DNS servers (internal and external) had at least one entry at the top of the root servers list for something called NS.ZFREEHOST.COM and NS2.ZFREEHOST.COM

2) This DNS was bogus and apparently usurped for itself authoritative control for .COM

3) This DNS server returned only one address for any query, 130.94.139.201

4) Any non-cached DNS entry pointed a user to this web page which generated a 404 error page with 4 pornographic images and links

Has anyone else had dealings with this type of problem? I doubt I'm alone in this problem. These servers run NT 4.0, SP5 (probably need SP6?) and only MS-DNS. The router ahead of them protect them from most ports with the exception of DNS.

Any thoughts would be welcome. Hopefully this will clue someone in if they are having strange DNS issues.

Nobody? Nothing? I'm feeling like the lone ranger here.

It sounds like you probably were compromised. There's a load of different hacks for MS-DNS... I'd recommend replacing the machine ASAP (if you can), with something a little more recent. Then running a post-mortem on the suspected compromised machine.

If it's a work machine, that's a perfect reason to get upper mgmt to approve upgrading the old NS. Also, I'd thoroughly scour Microsoft's Knowledge base. Chances are, you missed a service pack, as well as a patch or two (or three) for DNS Server.

Regards,

-l

__
"insanity takes a toll ... please have correct change."


PS: (BIND all the way, baby. :))