Re: [Full-Disclosure] Dig SCO?

From: Mary Landesman (mlande_at_bellsouth.net)
Date: 02/02/04

  • Next message: first-name last-name: "Re: [Full-Disclosure] file_exists() bypassing , critical problem ?"
    To: "Robert Guess" <rguess@cox.net>, <full-disclosure@lists.netsys.com>
    Date: Mon, 2 Feb 2004 09:18:12 -0500
    
    

    Initially, SCO was DoS'd. Then they removed the DNS entry. In any event, all
    but one of the menu links I checked on http://sco.com point to www.sco.com.
    SCO has also created a new domain, www.thescogroup.com. The link problem
    persists, pointing to www.sco.com. (Note that I did not check all of them,
    or even the majority of them - I simply went through and randomly selected
    various menu items and they all happened to point to www.sco.com.

    It's like a false front on a building. It looks pretty, but no one's home.

    -- Mary

    ----- Original Message -----
    From: "Robert Guess" <rguess@cox.net>
    To: <full-disclosure@lists.netsys.com>
    Sent: Sunday, February 01, 2004 11:20 PM
    Subject: [Full-Disclosure] Dig SCO?

    I don't.

    Currently there is (predictably) a lot of disinformation in the media
    about this "DoS Attack". There have been a number of posts about the
    www.sco.com server(s) being unavailable or the "domain" being
    unavailable. We did not have to read the "news" to get the story... we
    could have used dig. Everyone on this list is probably familiar with
    DNS terminology and tools but for those who are not, try "dig any
    sco.com" and you should get something like this:

    ; <<>> DiG 9.2.1 <<>> any sco.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18734
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 8

    ;; QUESTION SECTION:
    ;sco.com. IN ANY

    ;; ANSWER SECTION:
    sco.com. 172459 IN NS c7ns1.center7.com.
    sco.com. 172459 IN NS ns.calderasystems.com.
    sco.com. 172459 IN NS ns2.calderasystems.com.
    sco.com. 172459 IN NS nsca.sco.com.
    sco.com. 1696 IN SOA ns.calderasystems.com. hostmaster.caldera.com.
    2004020103 3600 900 604800 1800

    ;; AUTHORITY SECTION:
    SCO.COM. 172459 IN NS c7ns1.center7.com.
    SCO.COM. 172459 IN NS ns.calderasystems.com.
    SCO.COM. 172459 IN NS ns2.calderasystems.com.
    SCO.COM. 172459 IN NS nsca.sco.com.

    ;; ADDITIONAL SECTION:
    c7ns1.center7.com. 172459 IN A 216.250.142.20
    ns.calderasystems.com. 172459 IN A 216.250.130.1
    ns2.calderasystems.com. 172459 IN A 216.250.130.5
    nsca.sco.com. 172459 IN A 132.147.210.253
    c7ns1.center7.com. 172459 IN A 216.250.142.20
    ns.calderasystems.com. 172459 IN A 216.250.130.1
    ns2.calderasystems.com. 172459 IN A 216.250.130.5
    nsca.sco.com. 172459 IN A 132.147.210.253

    ;; Query time: 3 msec
    ;; SERVER: w.x.y.z
    ;; WHEN: Sun Feb 1 9:49:22 2004
    ;; MSG SIZE rcvd: 371

    Notice the missing A record that should map the name www to something?
    The additional section will probably feature a "www" A record after the
    12th (unless someone modifies Mydoom to persist beyond that date).
    Based upon what I know of MyDoom this was probably the best solution (in
    terms of taking the load off of ISPs and backbone segments). I don't
    feel sorry for SCO but I cannot see any way for this "virus" to benefit
    the open source or free software communities.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: first-name last-name: "Re: [Full-Disclosure] file_exists() bypassing , critical problem ?"