[13353] in bugtraq
Re: Anyone can take over virtually any domain on the net...
daemon@ATHENA.MIT.EDU (Jon Lewis)
Fri Jan 14 22:55:30 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10001131352260.1229-100000@redhat1.mmaero.com>
Date: Thu, 13 Jan 2000 13:55:36 -0500
Reply-To: jlewis@LEWIS.ORG
From: Jon Lewis <jlewis@LEWIS.ORG>
X-To: Thomas Reinke <reinke@E-SOFTINC.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <387C10B6.28C86A0F@e-softinc.com>
On Wed, 12 Jan 2000, Thomas Reinke wrote:
> At first I thought this had to be a joke. After thinking
> about it, I realized that its no joke at all, and in
> fact quite easy to do.
>
> Step 1: Send a spoofed email to Network solutions requesting
> a DNS change to your own DNS server.
>
> Step 2: Wait for a short while (the amount of time it normally
> takes Network Solutions to send out a confirmation
> email request)
>
> Step 3: Send a second spoofed email confirming the request.
Steps 2 and 3 aren't even necessary if you're good at forging email. Just
send a properly forged message claiming to be either the admin or
technical contact for the domain being modified, and NetSlo will make it
so. If you care about your domains, you should switch to using either
crypt-pw or PGP. I'd heard their PGP system was often broken, so I've
been using crypt-pw for nearly a year.
----------------------------------------------------------------------
Jon Lewis *jlewis@lewis.org*| Spammers will be winnuked or
System Administrator | nestea'd...whatever it takes
Atlantic Net | to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________
