funsec mailing list archives

Previous By Date Next
Previous By Thread Next

NANOG: DNS Hijacking by Cox

From: "Paul Ferguson" <fergdawg () netzero net>
Date: Sun, 22 Jul 2007 22:07:02 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not sure what the reasoning is here, but perhaps geared towards
addressing botnet joins?

FYI.

- - ferg


[forwarded message]

Date: Sun, 22 Jul 2007 14:56:13 -0700
From: "Andrew Matthews" <exstatica () gmail com>
To: nanog () merit edu
Subject: DNS Hijacking by Cox


It looks like cox is hijacking dns for irc servers.


bash2-2.05b$ nslookup

server 68.6.16.30

Default server: 68.6.16.30
Address: 68.6.16.30#53

irc.vel.net

Server:         68.6.16.30
Address:        68.6.16.30#53

Name:   irc.vel.net
Address: 70.168.71.144





server ns1.vel.net

Default server: ns1.vel.net
Address: 207.182.224.10#53

irc.vel.net

Server:         ns1.vel.net
Address:        207.182.224.10#53

Name:   irc.vel.net
Address: 64.161.255.2

it looks like they are using it to clean drones, when you connect to
their fake irc server you get forced joined into a channel.

#martian_
        [INFO]  Channel view for "#martian_" opened.
        -->|    YOU (andrew.m) have joined #martian_
        =-=     Mode #martian_ +nt by localhost.localdomain
        =-=     Topic for #martian_ is ".bot.remove"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007
2:55:02 PM
        =-=     Topic for #martian_ is ".remove"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007
2:55:02 PM
        =-=     Topic for #martian_ is ".uninstall"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007
2:55:02 PM
        =-=     Topic for #martian_ is "!bot.remove"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007
2:55:02 PM
        =-=     Topic for #martian_ is "!remove"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007
2:55:02 PM
        =-=     Topic for #martian_ is "!uninstall"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007
2:55:02 PM
        <Marvin_>       .bot.remove
        <Marvin_>       .remove
        <Marvin_>       .uninstall
        <Marvin_>       !bot.remove
        <Marvin_>       !remove


isn't there a law against hijacking dns? What can i do to persue this?


[snip]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)

wj8DBQFGo9UBq1pz9mNUZTMRAvvqAJ47g7BX6hrujP30Y6vtJi/TJXJVGACdEKFd
Gvb745HFCfsYlXPgkULTAwo=
=SWc7
-----END PGP SIGNATURE-----

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: