nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DNS Hijacking by Cox

From: "Raymond L. Corbin" <rcorbin () hostmysite com>
Date: Sun, 22 Jul 2007 19:04:07 -0400

Hey

Well I suppose that would get rid of some of the script kiddies bots off of their network...

http://www.dslreports.com/forum/remark,12922412
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016

Though...I cannot think of another means to achieve their goal. However I wonder how they generated what records to 
point to their servers. Is it simply anything with irc.* ? I suppose it would stop the script kiddies if they didn’t 
use their own unique DNS and specified a different port in the config before compiling. Typically zombies are set to 
listen to the topic commands in order to either continue a DDoS attack or like scan for other hosts to infect. This 
would prevent the bots from getting a valid command to start scanning or DDoS, or in this case .remove would remove the 
bot from their customers computer (unless the default command character was changed), so I suppose it gets what they 
want, DDoS's to not originate in their network + XDCC Bots being created from zombies etc etc, credit card, zombie bots 
can be set to listen for paypal information and credit card information etc...but at the same time causing problems for 
their customers who legitimately use IRC. If weighed, I believe their problems with DDoS bots is weighted more heavily 
then the few who legitimately use IRC. I suppose they can always use like psyBNC to connect to IRC.

I agree with their goal but not really the means they are using reach their goal. If they are going to manipulate DNS 
to do this...how far will they go with other problems?


Raymond Corbin
Support Analyst
HostMySite.com


(sorry if it this posted twice...outlook froze on me :( )


-----Original Message-----
From: owner-nanog () merit edu on behalf of Andrew Matthews
Sent: Sun 7/22/2007 5:56 PM
To: nanog () merit edu
Subject: DNS Hijacking by Cox
 

It looks like cox is hijacking dns for irc servers.


bash2-2.05b$ nslookup

server 68.6.16.30

Default server: 68.6.16.30
Address: 68.6.16.30#53

irc.vel.net

Server:         68.6.16.30
Address:        68.6.16.30#53

Name:   irc.vel.net
Address: 70.168.71.144





server ns1.vel.net

Default server: ns1.vel.net
Address: 207.182.224.10#53

irc.vel.net

Server:         ns1.vel.net
Address:        207.182.224.10#53

Name:   irc.vel.net
Address: 64.161.255.2

it looks like they are using it to clean drones, when you connect to
their fake irc server you get forced joined into a channel.

#martian_
        [INFO]  Channel view for "#martian_" opened.
        -->|    YOU (andrew.m) have joined #martian_
        =-=     Mode #martian_ +nt by localhost.localdomain
        =-=     Topic for #martian_ is ".bot.remove"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
        =-=     Topic for #martian_ is ".remove"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
        =-=     Topic for #martian_ is ".uninstall"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
        =-=     Topic for #martian_ is "!bot.remove"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
        =-=     Topic for #martian_ is "!remove"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
        =-=     Topic for #martian_ is "!uninstall"
        =-=     Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
        <Marvin_>       .bot.remove
        <Marvin_>       .remove
        <Marvin_>       .uninstall
        <Marvin_>       !bot.remove
        <Marvin_>       !remove


isn't there a law against hijacking dns? What can i do to persue this?
Previous By Date Next
Previous By Thread Next

Current thread: