Yes, but it’s not necessarily as simple as having full ssh access or something like that. Plus getting data out by DNS queries is probably much harder to detect than something like sftp or http posts.
Comment on Why is DNS often joked about in the I.T. Industry?
archomrade@midwest.social 3 months agoI’m trying to digest this
You’re saying he was stealing data from the target server by appending it line-by-line to dns requests sent to his nameserver? Wouldn’t he have needed to both be on the target server and already have access to the data?
JackbyDev@programming.dev 3 months ago
PlexSheep@infosec.pub 3 months ago
Could be used to exfiltrate data when you only can make commands, but not see their output. There might be other and easier exfiltration possibilities then, but this is a creative solution that uses a very common protocol and will probably be available on any machine.
IphtashuFitz@lemmy.world 3 months ago
Our web servers are locked down in such a way that you can’t copy data off of them using standard protocols like scp, ftp, and even http, etc. Our firewall blocks all such outbound traffic.
This hacker found a bug in a framework used on our web servers that let him execute commands remotely. When commands to copy data off the server failed using those more typical methods he switched to a more novel (and difficult) method of leveraging DNS instead. He discovered we weren’t locking DNS down the same way we were locking other protocols down and used that as a way to extract data from our server.
archomrade@midwest.social 3 months ago
Ah, ok, that makes sense! So there was a separate bug in the framework that granted him limited remote access, but because the server had tight control over outbound connections he had to use a novel way of getting the data back out
Basically: He crawled in through the sewer and then robbed the bank one stack of bills at a time via pigeon courier.