Information Security News mailing list archives
Re: Microsoft Admits Hack Attacks
From: InfoSec News <isn () C4I ORG>
Date: Mon, 29 Jan 2001 00:17:08 -0600
Forwarded by: Dave Dittrich <dittrich () cac washington edu> On Fri, 26 Jan 2001, InfoSec News wrote:
http://www.pcworld.com/news/article/0,aid,39322,00.asp Cameron Crouch, PCWorld.com Thursday, January 25, 2001 . . . Other suspicions were raised by anti-Microsoft slogans that appeared with a Whois search for Microsoft.com Wednesday. Whois tells you the owner of any second-level domain name registered with Network Solutions, the most widely used Internet registrar for .com names. A search under Microsoft.com returns clearly invalid domains such as: microsoft.com.is.secretly.run.by.illumaniti.terrorists.net.
What is invalid about it, and what does that have to do with the attack
on Microsoft? This "suspicion" is just not looking at the facts.
Sure, there are a hole bunch of things like this that pop up in a
whois lookup:
MICROSOFT.COM.WILL.LIVE.FOREVER.BUT.LUNIX.SUCKS-BYBIRTH.ARTISTICCHEESE.COM
MICROSOFT.COM.WILL.BOW.TO.SEANHARDING.COM
MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM
MICROSOFT.COM.SE.FAIT.HAX0RIZER.PAR.TOUT.LE.ZOY.ORG
MICROSOFT.COM.OWNED.BY.MAT.HACKSWARE.COM
MICROSOFT.COM.N-AIME.BILL.QUE.QUAND.IL.N-EST.PAS.NU
MICROSOFT.COM.MUST.STOP.TAKEDRUGS.ORG
MICROSOFT.COM.ISNT.THIS.SILLY.AND.DONT.YOU.WANT.YOUR.OWN.808.ORG
MICROSOFT.COM.IS.SOON.GOING.TO.THE.DEATHCORPORATION.COM
MICROSOFT.COM.IS.SECRETLY.RUN.BY.ILLUMINATI.TERRORISTS.NET
MICROSOFT.COM.IS.NOTHING.BUT.A.MONSTER.ORG
MICROSOFT.COM.IS.NO.MATCH.FOR.THE.WANNABE.TERRORISTS.AT.JIMPHILLIPS.ORG
MICROSOFT.COM.IS.GOD.BUT.LINUX.SUCKS-FOREVER.ARTISTICCHEESE.COM
MICROSOFT.COM.IS.BORING.COMPARED.TO.TEENEXTREME.COM
MICROSOFT.COM.IS.AT.THE.MERCY.OF.DETRIMENT.ORG
MICROSOFT.COM.INSPIRES.COPYCAT.WANNABE.SUBVERSIVES.NET
MICROSOFT.COM.HAS.NO.LINUXCLUE.COM
MICROSOFT.COM.HACKED.BY.PSYKOJOKO.ON.A.ROOT-NETWORK.COM
MICROSOFT.COM.HACKED.BY.HACKSWARE.COM
MICROSOFT.COM.GUTS.NL
MICROSOFT.COM.FAIT.VRAIMENT.DES.LOGICIELS.A.TROIS.FRANCS.DOUZE.ORG
MICROSOFT.COM.ER.IKKE.NO.I.FORHOLD.TIL.LATHANS.NET
MICROSOFT.COM.AINT.WORTH.SHIT.KLUGE.ORG
MICROSOFT.COM
Take a closer look, though. That domain has nothing to do with
Microsoft, its just a domain registered by someone else with Network
Solutions:
Server Name: MICROSOFT.COM.IS.SECRETLY.RUN.BY.ILLUMINATI.TERRORISTS.NET
IP Address: 170.1.75.143
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: www.networksolutions.com
Look at the IP address, then look it up:
170.1.75.143, reversing and appending in-addr.arpa
The authoritative name servers for '1.170.in-addr.arpa' are:
NS1.MEDCITY.NET 199.91.33.20
NS2.MEDCITY.NET 199.91.36.20
(querying server=199.91.33.20 ...)
143.75.1.170.in-addr.arpa:
Domain name pointer = infamous.terrorists.net
There is no domain infamous.terrorists.net
Now look at the netblock in which it resides:
Columbia Health Care (NET-COLUMBIAHEALTH)
2555 Park Plaza
Nashville, TN 37203
US
Netname: COLUMBIAHEALTH
Netblock: 170.1.0.0 - 170.1.255.255
Coordinator:
Columbia/HCA Healthcare, Inc. (NO55-ORG-ARIN) corp.tech () hcahealthcare com
(615) 344-8881
Domain System inverse mapping provided by:
NS1.MEDCITY.NET 199.91.33.20
NS2.MEDCITY.NET 199.91.36.20
So what is so suspicious about this, besides the fact that a
Healthcare provider's domain tables may have been used to slur
Microsoft? The problem of domain name hijacking has been known for
some time:
http://www.securityportal.com/direct.cgi?/closet/closet19991231.html
--
Dave Dittrich Computing & Communications
dittrich () cac washington edu Client Services
http://staff.washington.edu/dittrich University of Washington
PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Current thread:
- Microsoft Admits Hack Attacks InfoSec News (Jan 25)
- <Possible follow-ups>
- Re: Microsoft Admits Hack Attacks InfoSec News (Jan 29)