Dailydave mailing list archives
RE: Scam artists, your web browser, and you
From: "Dave Korn" <dave.korn () artimi com>
Date: Wed, 10 May 2006 17:26:35 +0100
On 10 May 2006 15:50, Dave Aitel wrote:
Today I tried to order some tickets from Miami-Heat-Tickets.com (also known as Platinumeventsinc.com).
As far as I can see, m-h-t.com doesn't sell tickets, it just has three links to external websites. Which one were you using?
(also known as Platinumeventsinc.com)
Where'd you get this from? WHOIS doesn't suggest any linkage that I can see. Nor could I find any evidence of a connection between the two from the DNS. What I *did* discover/remember, OTOH, is that directnic are a bunch of dns-wildcarding arseholes, and if you've entered "server ns1.directnic.com." into an nslookup session, it will forge responses to all subsequent requests... Example: here we go and look up the dns names of those two websites. --------------------------------<snip!>-------------------------------- dk@rainbow ~> nslookup Default Server: nutmeg.cam.artimi.com Address: 192.168.1.3
set type=ANY miami-heat-tickets.com.
Server: nutmeg.cam.artimi.com Address: 192.168.1.3 Non-authoritative answer: miami-heat-tickets.com nameserver = ns1.pstring.com miami-heat-tickets.com nameserver = ns2.pstring.com
server ns1.pstring.com.
Default Server: ns1.pstring.com Addresses: 24.173.253.175, 67.79.39.62
miami-heat-tickets.com.
Server: ns1.pstring.com
Addresses: 24.173.253.175, 67.79.39.62
miami-heat-tickets.com MX preference = 0, mail exchanger =
miami-heat-tickets.com
miami-heat-tickets.com
primary name server = ns1.pstring.com
responsible mail addr = spamtravis.gmail.com
serial = 2005121901
refresh = 14400 (4 hours)
retry = 7200 (2 hours)
expire = 3600000 (41 days 16 hours)
default TTL = 86400 (1 day)
miami-heat-tickets.com nameserver = ns1.pstring.com
miami-heat-tickets.com nameserver = ns2.pstring.com
miami-heat-tickets.com internet address = 24.173.253.175
miami-heat-tickets.com internet address = 24.173.253.175
platinumeventsinc.com.
Server: ns1.pstring.com Addresses: 24.173.253.175, 67.79.39.62 Non-authoritative answer: platinumeventsinc.com nameserver = ns1.directnic.com platinumeventsinc.com nameserver = ns0.directnic.com platinumeventsinc.com nameserver = ns0.directnic.com platinumeventsinc.com nameserver = ns1.directnic.com ns0.directnic.com internet address = 204.251.10.100 ns1.directnic.com internet address = 209.16.87.100 --------------------------------<snip!>-------------------------------- But what would have happened if we'd tried that in the opposite order? --------------------------------<snip!>--------------------------------
server 192.168.1.3
Default Server: [192.168.1.3] Address: 192.168.1.3
set type=ANY platinumeventsinc.com.
Server: [192.168.1.3] Address: 192.168.1.3 Non-authoritative answer: platinumeventsinc.com nameserver = ns0.directnic.com platinumeventsinc.com nameserver = ns1.directnic.com ns1.directnic.com internet address = 209.16.87.100 ns0.directnic.com internet address = 204.251.10.100
server ns0.directnic.com.
Default Server: ns0.directnic.com Address: 204.251.10.100
platinumeventsinc.com.
Server: ns0.directnic.com
Address: 204.251.10.100
platinumeventsinc.com
primary name server = ns0.directnic.com
responsible mail addr = hostmaster.ns0.directnic.com
serial = 1016666435
refresh = 28800 (8 hours)
retry = 14400 (4 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
platinumeventsinc.com nameserver = ns0.directnic.com
platinumeventsinc.com nameserver = ns1.directnic.com
platinumeventsinc.com internet address = 206.251.184.40
platinumeventsinc.com MX preference = 10, mail exchanger =
iris1.directnic.com
platinumeventsinc.com MX preference = 10, mail exchanger =
iris2.directnic.com
iris1.directnic.com internet address = 204.251.10.81
iris2.directnic.com internet address = 204.251.10.82
ns0.directnic.com internet address = 204.251.10.100
ns1.directnic.com internet address = 209.16.87.100
miami-heat-tickets.com.
Server: ns0.directnic.com Address: 204.251.10.100 miami-heat-tickets.com MX preference = 0, mail exchanger = iris1.directnic.com miami-heat-tickets.com internet address = 204.251.15.175 miami-heat-tickets.com MX preference = 10, mail exchanger = iris2.directnic.com (root) nameserver = ns0.directnic.com (root) nameserver = ns1.directnic.com iris1.directnic.com internet address = 204.251.10.81 iris2.directnic.com internet address = 204.251.10.82 ns0.directnic.com internet address = 204.251.10.100 ns1.directnic.com internet address = 209.16.87.100
--------------------------------<snip!>-------------------------------- At least they don't claim to hold the SOA. That would actually be fraudulent, as opposed to merely wrong/incorrect/dishonest. OTOH, you do need to have memorized your default DNS server's IP address, because once you've set your server to directnic, there's no way to set it back from a named lookup. Note in this example how it poses as my own internal dns server when I try to set it back to the default: --------------------------------<snip!>-------------------------------- dk@rainbow ~> nslookup Default Server: nutmeg.cam.artimi.com Address: 192.168.1.3
set type=ANY www.microsoft.com.
Server: nutmeg.cam.artimi.com Address: 192.168.1.3 Non-authoritative answer: www.microsoft.com canonical name = toggle.www.ms.akadns.net
server ns0.directnic.com.
Default Server: ns0.directnic.com Address: 204.251.10.100
www.microsoft.com.
Server: ns0.directnic.com Address: 204.251.10.100 www.microsoft.com MX preference = 0, mail exchanger = iris1.directnic.com www.microsoft.com internet address = 204.251.15.175 www.microsoft.com MX preference = 10, mail exchanger = iris2.directnic.com (root) nameserver = ns0.directnic.com (root) nameserver = ns1.directnic.com iris1.directnic.com internet address = 204.251.10.81 iris2.directnic.com internet address = 204.251.10.82 ns0.directnic.com internet address = 204.251.10.100 ns1.directnic.com internet address = 209.16.87.100
www.directnic.sucks.donkeysbollocks.com.
Server: ns0.directnic.com Address: 204.251.10.100 www.directnic.sucks.donkeysbollocks.com MX preference = 0, mail exchanger = iris1.directnic.com www.directnic.sucks.donkeysbollocks.com internet address = 204.251.15.175 www.directnic.sucks.donkeysbollocks.com MX preference = 10, mail exchanger = iris2.directnic.com (root) nameserver = ns0.directnic.com (root) nameserver = ns1.directnic.com iris1.directnic.com internet address = 204.251.10.81 iris2.directnic.com internet address = 204.251.10.82 ns0.directnic.com internet address = 204.251.10.100 ns1.directnic.com internet address = 209.16.87.100
server nutmeg.cam.artimi.com.
Default Server: nutmeg.cam.artimi.com Address: 204.251.15.175
rainbow.cam.artimi.com.
Server: nutmeg.cam.artimi.com
Address: 204.251.15.175
--------------------------------<snip!>--------------------------------
...which then of course breaks your session because the web-parking host does
not run a name server.[*]
Needless to say, the host at 204.251.15.175:80 doesn't complain when you
send a GET request with a Host: header for a hostname that the machine has no
right to answer for, and delivers you up one of those bogus search/directory
sites. I couldn't find any simple way to inject script through the Host:
header....
cheers,
DaveK
[*] - Yes, I already *know* my sense of humour is not terribly mature! ;)
--
Can't think of a witty .sigline today....
Current thread:
- Scam artists, your web browser, and you Dave Aitel (May 10)
- Re: Scam artists, your web browser, and you Paul Wouters (May 10)
- RE: Scam artists, your web browser, and you Dave Korn (May 10)
- Re: Scam artists, your web browser, and you Dave Aitel (May 10)
- Re: Scam artists, your web browser, and you miah (May 11)
- Re: Scam artists, your web browser, and you Dave Aitel (May 10)
- <Possible follow-ups>
- RE: Scam artists, your web browser, and you Clemens, Dan (May 10)