Full Disclosure mailing list archives
Re: Using domain whois information for fun and profit
From: "Response Team" <lolirt () gmail com>
Date: Mon, 27 Feb 2006 16:13:06 -0600
You do realize that Windows, the OS that runs most of the computers on Earth, does not have a native whois tool. Anyway... As someone else pointed out, this has already been reported but apparently I missed it. The evil side of <script> in Whois info: It still is an interesting way to get traffic to your site, or to do a phishing scheme. For example, you could target customers of a particular registrar by linking to whois.php?query=malicious_domain_whois.com on their server. Use the <script> tag to open a popup requesting the user to update their domain registration information. The parent URL in their browser is correct and they are at a site they have done business with in the past. Every "average Joe" user with a blog wants their own domain name. Being threatened by email to update their contact information or lose the domain is enough to get many of them to click. Also, if people will fill in their paypal information on www.hacked-website/vulnerable/guestbook/www.paypal- verify.com/thieves.php, why wouldn't they fill it in on a site they trust? Getting the registrar's client list would take some time, but using a botnet to do distributed whois gathering would give you all of the information you need. A whois record usually shows who the registrar is and the owner contact information. Sending a spoofed email out domain owner addresses of people who have registered domains under a specific registrar would be trivial. Anyway, just a thought. -traid On 2/27/06, Joachim Schipper <j.schipper () math uu nl> wrote:
On Mon, Feb 27, 2006 at 02:41:17PM -0600, Response Team wrote:The whois information for this domain contains a <script> tag. Thismeans ifyou are to view the whois information on any HTML based page, the scriptisexecuted. Registrant: DOMIBOT (CAREFREETRAVELMN-COM-DOM) Avenida Caroni 5478 Colinas Monte, Caracas Venezuela +1.2085751538 <script>open('http://CAREFREETRAVELMN.COM');</script> +1.2085751538 domains () domibot com Domain Name: CAREFREETRAVELMN.COM Status: PROTECTED A google search for HTML based Whois pages turned up: http:// networking.ringofsaturn.com/Tools/whois.php If you do a whois on carefreetravelmn.com, you get a popup window. Should internic allow <tags> to be used in domain registration contactinfo? Why not? It's not like it's internic's problem that some people/programmers do stupid things. Blacklists wouldn't work anyway, and it's, again, not internic's fault or problem. And there is no reason to use a web-based client when all serious networking operating systems come with a whois client supplied (or at least very, very easily installed). Joachim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Using domain whois information for fun and profit Response Team (Feb 27)
- Re: Using domain whois information for fun and profit Joachim Schipper (Feb 27)
- Re: Using domain whois information for fun and profit Response Team (Feb 27)
- Re: Using domain whois information for fun and profit Joachim Schipper (Feb 27)