RE: browser redirection to forward.domainname.at
From: Lane Weast (lweast@leeclerk.org)Date: 02/26/02
- Previous message: Don Wolf: "Re: browser redirection to forward.domainname.at"
- Maybe in reply to: Matthew.van.Eerde@hbinc.com: "browser redirection to forward.domainname.at"
- Next in thread: Evans, TJ: "RE: browser redirection to forward.domainname.at"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Lane Weast <lweast@leeclerk.org> To: focus-ms@securityfocus.com Date: Tue, 26 Feb 2002 16:25:34 -0500
Looks like it's not the first time for them either. Also reported on the
17th.
Found this with a Google search on 212.69.172.16
FW: Hack - DNS cache poisoning resurfacing
http://archives.neohapsis.com/archives/incidents/2002-01/0133.html
[hi there,
[
[
[We obviously got some cache poisoning recently.
[FYI: we are using MS DNS.
[Anyone got the same problems???
[
[
[I've seen nothing on our IDS...
[
[
[PS: I CCed dnsmaster@ns3.domainname.at just to check if he's aware of
[this...
[
[
[here's the stuff:
[It looks definitely like the old DNS cache poisoning trick:
[
[
[
[> HERE:
[>
[> C:\WINDOWS>ping www.vmyths.com
[>
[> Pinging www.vmyths.com [212.69.172.16] with 32 bytes of data:
[>
[> Reply from 212.69.172.16: bytes=32 time=97ms TTL=241
[> Reply from 212.69.172.16: bytes=32 time=43ms TTL=241
[> Reply from 212.69.172.16: bytes=32 time=27ms TTL=241
[> Reply from 212.69.172.16: bytes=32 time=27ms TTL=241
[>
[> Ping statistics for 212.69.172.16:
[> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
[> Approximate round trip times in milli-seconds:
[> Minimum = 27ms, Maximum = 97ms, Average = 48ms
[>
[>
[> THERE:
[>
[> www.vmyths.com
[> Name: vmyths.com
[> Address: 216.217.111.18
[> Aliases: www.vmyths.com
[>
[> let's see if this comes from some poisoning and so on...
[>
[>
[> if we look the SOA records from a distant site, we get this:
[>
[> > set q=SOA
[> > vmyths.com
[> vmyths.com
[> origin = dns9.register.com
[> mail addr = root.register.com
[> serial = 2000011705
[> refresh = 10800 (3H)
[> retry = 86400 (1D)
[> expire = 604800 (1W)
[> minimum ttl = 3600 (1H)
[> vmyths.com nameserver = dns9.register.com
[> vmyths.com nameserver = dns10.register.com
[>
[> whereas if we look at them from our point of view:
[>
[> > set q=SOA
[> > vmyths.com
[ vmyths.com
[> origin = ns3.domainname.at
[> mail address = dnsmaster.ns3.domainname.at
[> serial = 1009665720
[> refresh = 1800 (30M)
[> retry = 600 (10M)
[> expire = 1800 (30M)
[> minimum ttl = 1800 (30M)
[>
[>
- Previous message: Don Wolf: "Re: browser redirection to forward.domainname.at"
- Maybe in reply to: Matthew.van.Eerde@hbinc.com: "browser redirection to forward.domainname.at"
- Next in thread: Evans, TJ: "RE: browser redirection to forward.domainname.at"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
