funsec mailing list archives
NANOG: DNS Hijacking by Cox
From: "Paul Ferguson" <fergdawg () netzero net>
Date: Sun, 22 Jul 2007 22:07:02 GMT
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not sure what the reasoning is here, but perhaps geared towards addressing botnet joins? FYI. - - ferg [forwarded message] Date: Sun, 22 Jul 2007 14:56:13 -0700 From: "Andrew Matthews" <exstatica () gmail com> To: nanog () merit edu Subject: DNS Hijacking by Cox It looks like cox is hijacking dns for irc servers. bash2-2.05b$ nslookup
server 68.6.16.30
Default server: 68.6.16.30 Address: 68.6.16.30#53
irc.vel.net
Server: 68.6.16.30 Address: 68.6.16.30#53 Name: irc.vel.net Address: 70.168.71.144
server ns1.vel.net
Default server: ns1.vel.net Address: 207.182.224.10#53
irc.vel.net
Server: ns1.vel.net Address: 207.182.224.10#53 Name: irc.vel.net Address: 64.161.255.2 it looks like they are using it to clean drones, when you connect to their fake irc server you get forced joined into a channel. #martian_ [INFO] Channel view for "#martian_" opened. -->| YOU (andrew.m) have joined #martian_ =-= Mode #martian_ +nt by localhost.localdomain =-= Topic for #martian_ is ".bot.remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is ".remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is ".uninstall" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is "!bot.remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is "!remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is "!uninstall" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM <Marvin_> .bot.remove <Marvin_> .remove <Marvin_> .uninstall <Marvin_> !bot.remove <Marvin_> !remove isn't there a law against hijacking dns? What can i do to persue this? [snip] -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGo9UBq1pz9mNUZTMRAvvqAJ47g7BX6hrujP30Y6vtJi/TJXJVGACdEKFd Gvb745HFCfsYlXPgkULTAwo= =SWc7 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- NANOG: DNS Hijacking by Cox Paul Ferguson (Jul 22)