[97947] in North American Network Operators' Group
RE: DNS Hijacking by Cox
daemon@ATHENA.MIT.EDU (Raymond L. Corbin)
Sun Jul 22 19:05:30 2007
Date: Sun, 22 Jul 2007 19:04:07 -0400
From: "Raymond L. Corbin" <rcorbin@hostmysite.com>
To: "Andrew Matthews" <exstatica@gmail.com>, <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
Hey
Well I suppose that would get rid of some of the script kiddies bots off =
of their network...
http://www.dslreports.com/forum/remark,12922412
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016
Though...I cannot think of another means to achieve their goal. However =
I wonder how they generated what records to point to their servers. Is =
it simply anything with irc.* ? I suppose it would stop the script =
kiddies if they didn=92t use their own unique DNS and specified a =
different port in the config before compiling. Typically zombies are set =
to listen to the topic commands in order to either continue a DDoS =
attack or like scan for other hosts to infect. This would prevent the =
bots from getting a valid command to start scanning or DDoS, or in this =
case .remove would remove the bot from their customers computer (unless =
the default command character was changed), so I suppose it gets what =
they want, DDoS's to not originate in their network + XDCC Bots being =
created from zombies etc etc, credit card, zombie bots can be set to =
listen for paypal information and credit card information etc...but at =
the same time causing problems for their customers who legitimately use =
IRC. If weighed, I believe their problems with DDoS bots is weighted =
more heavily then the few who legitimately use IRC. I suppose they can =
always use like psyBNC to connect to IRC.
I agree with their goal but not really the means they are using reach =
their goal. If they are going to manipulate DNS to do this...how far =
will they go with other problems?
Raymond Corbin
Support Analyst
HostMySite.com
(sorry if it this posted twice...outlook froze on me :( )
-----Original Message-----
From: owner-nanog@merit.edu on behalf of Andrew Matthews
Sent: Sun 7/22/2007 5:56 PM
To: nanog@merit.edu
Subject: DNS Hijacking by Cox
=20
It looks like cox is hijacking dns for irc servers.
bash2-2.05b$ nslookup
> server 68.6.16.30
Default server: 68.6.16.30
Address: 68.6.16.30#53
> irc.vel.net
Server: 68.6.16.30
Address: 68.6.16.30#53
Name: irc.vel.net
Address: 70.168.71.144
> server ns1.vel.net
Default server: ns1.vel.net
Address: 207.182.224.10#53
> irc.vel.net
Server: ns1.vel.net
Address: 207.182.224.10#53
Name: irc.vel.net
Address: 64.161.255.2
it looks like they are using it to clean drones, when you connect to
their fake irc server you get forced joined into a channel.
#martian_
[INFO] Channel view for "#martian_" opened.
-->| YOU (andrew.m) have joined #martian_
=3D-=3D Mode #martian_ +nt by localhost.localdomain
=3D-=3D Topic for #martian_ is ".bot.remove"
=3D-=3D Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 =
2:55:02 PM
=3D-=3D Topic for #martian_ is ".remove"
=3D-=3D Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 =
2:55:02 PM
=3D-=3D Topic for #martian_ is ".uninstall"
=3D-=3D Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 =
2:55:02 PM
=3D-=3D Topic for #martian_ is "!bot.remove"
=3D-=3D Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 =
2:55:02 PM
=3D-=3D Topic for #martian_ is "!remove"
=3D-=3D Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 =
2:55:02 PM
=3D-=3D Topic for #martian_ is "!uninstall"
=3D-=3D Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 =
2:55:02 PM
<Marvin_> .bot.remove
<Marvin_> .remove
<Marvin_> .uninstall
<Marvin_> !bot.remove
<Marvin_> !remove
isn't there a law against hijacking dns? What can i do to persue this?
