Information Security News mailing list archives
Re: Microsoft Admits Hack Attacks
From: InfoSec News <isn () C4I ORG>
Date: Mon, 29 Jan 2001 00:17:08 -0600
Forwarded by: Dave Dittrich <dittrich () cac washington edu> On Fri, 26 Jan 2001, InfoSec News wrote:
http://www.pcworld.com/news/article/0,aid,39322,00.asp Cameron Crouch, PCWorld.com Thursday, January 25, 2001 . . . Other suspicions were raised by anti-Microsoft slogans that appeared with a Whois search for Microsoft.com Wednesday. Whois tells you the owner of any second-level domain name registered with Network Solutions, the most widely used Internet registrar for .com names. A search under Microsoft.com returns clearly invalid domains such as: microsoft.com.is.secretly.run.by.illumaniti.terrorists.net.
What is invalid about it, and what does that have to do with the attack on Microsoft? This "suspicion" is just not looking at the facts. Sure, there are a hole bunch of things like this that pop up in a whois lookup: MICROSOFT.COM.WILL.LIVE.FOREVER.BUT.LUNIX.SUCKS-BYBIRTH.ARTISTICCHEESE.COM MICROSOFT.COM.WILL.BOW.TO.SEANHARDING.COM MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM MICROSOFT.COM.SE.FAIT.HAX0RIZER.PAR.TOUT.LE.ZOY.ORG MICROSOFT.COM.OWNED.BY.MAT.HACKSWARE.COM MICROSOFT.COM.N-AIME.BILL.QUE.QUAND.IL.N-EST.PAS.NU MICROSOFT.COM.MUST.STOP.TAKEDRUGS.ORG MICROSOFT.COM.ISNT.THIS.SILLY.AND.DONT.YOU.WANT.YOUR.OWN.808.ORG MICROSOFT.COM.IS.SOON.GOING.TO.THE.DEATHCORPORATION.COM MICROSOFT.COM.IS.SECRETLY.RUN.BY.ILLUMINATI.TERRORISTS.NET MICROSOFT.COM.IS.NOTHING.BUT.A.MONSTER.ORG MICROSOFT.COM.IS.NO.MATCH.FOR.THE.WANNABE.TERRORISTS.AT.JIMPHILLIPS.ORG MICROSOFT.COM.IS.GOD.BUT.LINUX.SUCKS-FOREVER.ARTISTICCHEESE.COM MICROSOFT.COM.IS.BORING.COMPARED.TO.TEENEXTREME.COM MICROSOFT.COM.IS.AT.THE.MERCY.OF.DETRIMENT.ORG MICROSOFT.COM.INSPIRES.COPYCAT.WANNABE.SUBVERSIVES.NET MICROSOFT.COM.HAS.NO.LINUXCLUE.COM MICROSOFT.COM.HACKED.BY.PSYKOJOKO.ON.A.ROOT-NETWORK.COM MICROSOFT.COM.HACKED.BY.HACKSWARE.COM MICROSOFT.COM.GUTS.NL MICROSOFT.COM.FAIT.VRAIMENT.DES.LOGICIELS.A.TROIS.FRANCS.DOUZE.ORG MICROSOFT.COM.ER.IKKE.NO.I.FORHOLD.TIL.LATHANS.NET MICROSOFT.COM.AINT.WORTH.SHIT.KLUGE.ORG MICROSOFT.COM Take a closer look, though. That domain has nothing to do with Microsoft, its just a domain registered by someone else with Network Solutions: Server Name: MICROSOFT.COM.IS.SECRETLY.RUN.BY.ILLUMINATI.TERRORISTS.NET IP Address: 170.1.75.143 Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: www.networksolutions.com Look at the IP address, then look it up: 170.1.75.143, reversing and appending in-addr.arpa The authoritative name servers for '1.170.in-addr.arpa' are: NS1.MEDCITY.NET 199.91.33.20 NS2.MEDCITY.NET 199.91.36.20 (querying server=199.91.33.20 ...) 143.75.1.170.in-addr.arpa: Domain name pointer = infamous.terrorists.net There is no domain infamous.terrorists.net Now look at the netblock in which it resides: Columbia Health Care (NET-COLUMBIAHEALTH) 2555 Park Plaza Nashville, TN 37203 US Netname: COLUMBIAHEALTH Netblock: 170.1.0.0 - 170.1.255.255 Coordinator: Columbia/HCA Healthcare, Inc. (NO55-ORG-ARIN) corp.tech () hcahealthcare com (615) 344-8881 Domain System inverse mapping provided by: NS1.MEDCITY.NET 199.91.33.20 NS2.MEDCITY.NET 199.91.36.20 So what is so suspicious about this, besides the fact that a Healthcare provider's domain tables may have been used to slur Microsoft? The problem of domain name hijacking has been known for some time: http://www.securityportal.com/direct.cgi?/closet/closet19991231.html -- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Microsoft Admits Hack Attacks InfoSec News (Jan 25)
- <Possible follow-ups>
- Re: Microsoft Admits Hack Attacks InfoSec News (Jan 29)