.com cache / domain hijacking?

From: Vanish Pattni (DSL AK) (VanishP_at_datacom.co.nz)
Date: 09/21/03

  • Next message: irado furioso com tudo: "Re: Transparent firewall for DMZ"
    To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
    Date: Sun, 21 Sep 2003 14:50:34 +1200
    
    

    Hi,

    This might be just us but today our cache entries for the .com domain
    changed rather mysteriously from the usual verisign ones to the following:

    ;; QUESTION SECTION:
    ;com. IN NS

    ;; ANSWER SECTION:
    com. 21428 IN NS ns2.hi2000.com.
    com. 21428 IN NS ns1.hi2000.com.

    ;; ADDITIONAL SECTION:
    ns2.hi2000.com. 21425 IN A 61.175.199.134
    ns1.hi2000.com. 21424 IN A 61.175.199.133

    The two ns1 and ns2 entries here are some machines in China -- unless
    verisign has moved their gtld's recently. Has anyone come across this? Our
    machine is a patched NT server running MS DNS server. Is there a new exploit
    out that I have possibly missed?

    I checked with other name servers around NZ and they seem all right --
    perhaps this is platform dependent or something.

    Vanish Pattni
    Network and Security Analyst
    Datacom Systems Limited
    New Zealand

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: irado furioso com tudo: "Re: Transparent firewall for DMZ"