.com cache / domain hijacking?

From: Vanish Pattni (DSL AK) (VanishP_at_datacom.co.nz)
Date: 09/21/03

Next message: irado furioso com tudo: "Re: Transparent firewall for DMZ"

Previous message: Mitchell: "RE: port 6060"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
Date: Sun, 21 Sep 2003 14:50:34 +1200

Hi,

This might be just us but today our cache entries for the .com domain
changed rather mysteriously from the usual verisign ones to the following:

;; QUESTION SECTION:
;com. IN NS

;; ANSWER SECTION:
com. 21428 IN NS ns2.hi2000.com.
com. 21428 IN NS ns1.hi2000.com.

;; ADDITIONAL SECTION:
ns2.hi2000.com. 21425 IN A 61.175.199.134
ns1.hi2000.com. 21424 IN A 61.175.199.133

The two ns1 and ns2 entries here are some machines in China -- unless
verisign has moved their gtld's recently. Has anyone come across this? Our
machine is a patched NT server running MS DNS server. Is there a new exploit
out that I have possibly missed?

I checked with other name servers around NZ and they seem all right --
perhaps this is platform dependent or something.

Vanish Pattni
Network and Security Analyst
Datacom Systems Limited
New Zealand

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: irado furioso com tudo: "Re: Transparent firewall for DMZ"

Previous message: Mitchell: "RE: port 6060"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]