Re: Major DNS cache poisoning at Verisign/WorldNIC

From: Brian McWilliams (bmcw@attbi.com)
Date: 03/20/02

Previous message: Dan Irwin: "RE: increase in scans for RPC"
In reply to: Matthew F. Caldwell: "Major DNS cache poisoning at Verisign/WorldNIC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 20 Mar 2002 13:17:54 -0500
To: "Matthew F. Caldwell" <mattc@guarded.net>, <incidents@securityfocus.com>
From: Brian McWilliams <bmcw@attbi.com>

More on this here:

http://www.newsbytes.com/news/02/175343.html

Excerpt:

A security breach Tuesday involving Verisign's Network Solutions unit
disrupted potentially thousands of domain customers, company officials
confirmed today.

Attackers compromised a system that hosted thousands of "parked" domains
that had been registered through Network Solutions and were still under
construction, according to a Verisign representative.

Web surfers who typed in the address of any of the affected domains were
sent to a black page which featured an image of a mutilated rag doll and
the words, "Did Web Pirates domain your domain?"

The system, which was running Microsoft's Internet Information Server (IIS)
on Windows 2000, was operated by Atlanta-based hosting firm Interland under
an outsourcing agreement, according to Verisign spokesperson Pat Burns.

[snip]

Brian

At 02:18 PM 3/19/2002, Matthew F. Caldwell wrote:
>Just to let everyone know, there has been some major DNS cache poisoning
>going on at Verisign apparently done by some Brazilians ("Web Pirates")
>for web site defacements. If your parking your DNS at worldnic.com
>(netsol/verisign) you might want to see if you site has been redirected to
>64.225.154.175 (owned by Interland of Atlanta) using random DNS servers.
>
>Don't you love UDP.
>
>Matthew F. Caldwell, CISSP
>Chief Security Officer
>GuardedNet, Inc
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Previous message: Dan Irwin: "RE: increase in scans for RPC"
In reply to: Matthew F. Caldwell: "Major DNS cache poisoning at Verisign/WorldNIC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: IE cannot display webpage
... Registrar: NETWORK SOLUTIONS, LLC. ... That domain is registered through Network Solutions, ... your security software isn't loaded. ... off the firewall in McAfee Security Suite still leaves other ...
(microsoft.public.windowsxp.general)
Re: nouser - rootkit ?
... be> doing a "feint" rootkit to mask a "real" rootkit for so few targets? ... Odd OSes are used by security nuts for just that reason. ... sploits will crash daemons (a buffer overflow is a buffer overflow), ... and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
Re: how often do 0-days REALLY happen?
... Thanks to the trace, I was able to develop enough evidence ... day - last I heard he was working for a managed security provider. ... and tracking system please see: http://aris.securityfocus.com ...
(Incidents)