nanog mailing list archives
RE: DNS Hijacking by Cox
From: "Raymond L. Corbin" <rcorbin () hostmysite com>
Date: Sun, 22 Jul 2007 19:04:07 -0400
Hey Well I suppose that would get rid of some of the script kiddies bots off of their network... http://www.dslreports.com/forum/remark,12922412 http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016 Though...I cannot think of another means to achieve their goal. However I wonder how they generated what records to point to their servers. Is it simply anything with irc.* ? I suppose it would stop the script kiddies if they didnt use their own unique DNS and specified a different port in the config before compiling. Typically zombies are set to listen to the topic commands in order to either continue a DDoS attack or like scan for other hosts to infect. This would prevent the bots from getting a valid command to start scanning or DDoS, or in this case .remove would remove the bot from their customers computer (unless the default command character was changed), so I suppose it gets what they want, DDoS's to not originate in their network + XDCC Bots being created from zombies etc etc, credit card, zombie bots can be set to listen for paypal information and credit card information etc...but at the same time causing problems for their customers who legitimately use IRC. If weighed, I believe their problems with DDoS bots is weighted more heavily then the few who legitimately use IRC. I suppose they can always use like psyBNC to connect to IRC. I agree with their goal but not really the means they are using reach their goal. If they are going to manipulate DNS to do this...how far will they go with other problems? Raymond Corbin Support Analyst HostMySite.com (sorry if it this posted twice...outlook froze on me :( ) -----Original Message----- From: owner-nanog () merit edu on behalf of Andrew Matthews Sent: Sun 7/22/2007 5:56 PM To: nanog () merit edu Subject: DNS Hijacking by Cox It looks like cox is hijacking dns for irc servers. bash2-2.05b$ nslookup
server 68.6.16.30
Default server: 68.6.16.30 Address: 68.6.16.30#53
irc.vel.net
Server: 68.6.16.30 Address: 68.6.16.30#53 Name: irc.vel.net Address: 70.168.71.144
server ns1.vel.net
Default server: ns1.vel.net Address: 207.182.224.10#53
irc.vel.net
Server: ns1.vel.net Address: 207.182.224.10#53 Name: irc.vel.net Address: 64.161.255.2 it looks like they are using it to clean drones, when you connect to their fake irc server you get forced joined into a channel. #martian_ [INFO] Channel view for "#martian_" opened. -->| YOU (andrew.m) have joined #martian_ =-= Mode #martian_ +nt by localhost.localdomain =-= Topic for #martian_ is ".bot.remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is ".remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is ".uninstall" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is "!bot.remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is "!remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is "!uninstall" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM <Marvin_> .bot.remove <Marvin_> .remove <Marvin_> .uninstall <Marvin_> !bot.remove <Marvin_> !remove isn't there a law against hijacking dns? What can i do to persue this?
Current thread:
- DNS Hijacking by Cox Andrew Matthews (Jul 22)
- RE: DNS Hijacking by Cox Raymond L. Corbin (Jul 22)
- Re: DNS Hijacking by Cox Sean Donelan (Jul 22)
- Re: DNS Hijacking by Cox Brandon Galbraith (Jul 22)
- Re: DNS Hijacking by Cox Nachman Yaakov Ziskind (Jul 22)
- Re: DNS Hijacking by Cox Raymond Dijkxhoorn (Jul 22)
- Re: DNS Hijacking by Cox William Allen Simpson (Jul 22)
- Re: DNS Hijacking by Cox Sean Donelan (Jul 22)
- Re: DNS Hijacking by Cox Steven Haigh (Jul 22)
- RE: DNS Hijacking by Cox Raymond L. Corbin (Jul 22)
- Multiple different ISPs respond to Bots (was RE: DNS Hijacking by Cox) Sean Donelan (Jul 22)
- Re: Multiple different ISPs respond to Bots (was RE: DNS Hijacking by Cox) Matthew Sullivan (Jul 22)
- Re: DNS Hijacking by Cox Brandon Galbraith (Jul 22)