Fwd: This is a coordinated hacking. (Was Re: Need help in flushing DNS)

[jamie rishaw <j () arpa com>]

Wait, wait.

whois doesnt jive with dns.

.. Conspiracy Theory Hat On :

- Did someone gain access to the COM dispersion zone, or parts thereof?
- Did someone figure out how to [ insert theory here ] ?

I'm looking at domains that were solidly pointing at ztomy at 2:30AM (that
are 'recovered'  to other nameservers) that show no "updates" in `whois`
records.

Curiouser and curiouser.

Paul?

---------- Forwarded message ----------
From: jamie rishaw <j () arpa com>
Date: Thu, Jun 20, 2013 at 3:21 PM
Subject: Re: This is a coordinated hacking. (Was Re: Need help in flushing
DNS)
To: George Herbert <george.herbert () gmail com>
Cc: Jared Mauch <jared () puck nether net>, NANOG <nanog () nanog org>


It's not poisoning.  They somehow were able to modify the NS records; one
would presume, at the registrar/s.

As far as the logic of the DNS, it is functioning as designed (What's up,
Vix!) - There's another aspect of this that caused this situation.

Any Alexa or similar people on this list (Goog PR, etc)?  I'd love to bulk
submit a domain list for some analytics.  Contact me off list.



On Thu, Jun 20, 2013 at 3:14 PM, George Herbert <george.herbert () gmail com>wrote:

> Poisoning a domain's NS records with localhost will most certainly DOS the
> domain, yes.
>
> I have not yet seen the source of this; if anyone has a clue where the
> updates are coming from please post the info.
>
> Is there anything about ztomy.com that has been seen that's supicious as
> in they might be the origin?  This could be them, or could be a joe-job
> against them.  I do not want to point a finger lacking any sort of actual
> data dump of the poisoning activity...
>
>
>
>
> On Thu, Jun 20, 2013 at 1:02 PM, jamie rishaw <j () arpa com> wrote:
>
> > I'm rechecking realtime ns1620/2620 DNS right now and, looking at the
> > output, I see an odd number of domains (that have changed) with a listed
> > nameserver of "localhost.".
> >
> > Is this some sort of tactic I'm unaware of?
> >
> >
> > On Thu, Jun 20, 2013 at 2:57 PM, Jared Mauch <jared () puck nether net>
> > wrote:
> >
> > > It seems there may be a need for some sort of 'dns-health' check out
> > there
> > > that can be done in semi-realtime.
> > >
> > > I ran a report for someone earlier today on a domain doing an xref
> > against
> > > open resolver data searching for valid responses vs invalid ones.
> > >
> > > Is this of value?  Does it need to be automated?
> > >
> > > - Jared
> > >
> > > On Jun 20, 2013, at 3:53 PM, jamie rishaw <j () arpa com> wrote:
> > >
> > > > This is most definitely a coordinated and planned attack.
> > > >
> > > > And by 'attack' I mean hijacking of domain names.
> > > >
> > > > I show as of this morning nearly fifty thousand domain names that
> > appear
> > > > suspicious.
> > > >
> > > > I'm tempted to call uscentcom and/or related agencies (which agencies,
> > > who
> > > > the hell knows, as ICE seems to have some sort of authority over
> > domains
> > > > (nearly two hundred fifty of them as I type this in COM alone and
> > another
> > > > thirty-some in NET).
> > > >
> > > > Anyone credentialed (credentialed /n/., "I know you or know of you,")
> > > > wanting data, e-mail me off-list for some TLD goodness.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Jun 20, 2013 at 12:29 PM, Phil Fagan <philfagan () gmail com>
> > > wrote:
> > > > > Agree'd in these "smaller" scenario's I just wonder if in a larger
> > scale
> > > > > scenario, whatever that might look like, if its necessary. Whereby
> > many
> > > > > organizations who provide "services" are effected. Perhaps the result
> > > of a
> > > > > State led campaign ....topic for another day.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Jun 20, 2013 at 11:25 AM, Paul Ferguson <
> > fergdawgster () gmail com
> > > > > > wrote:
> > > > >
> > > > > > I am betting that Netsol doesn't need any more "coordination" at the
> > > > > > moment -- their phones are probably ringing off-the-hook. There are
> > > > > > still ~400 domains still pointing to the ztomy NS:
> > > > > >
> > > > > >
> > > > > > ; <<>> DiG 9.7.3 <<>> @foohost parsonstech.com NS
> > > > > > ; (1 server found)
> > > > > > ;; global options: +cmd
> > > > > > ;; Got answer:
> > > > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49064
> > > > > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> > > > > >
> > > > > > ;; QUESTION SECTION:
> > > > > > ;parsonstech.com.        IN    NS
> > > > > >
> > > > > > ;; ANSWER SECTION:
> > > > > > parsonstech.com.    172800    IN    NS    ns2617.ztomy.com.
> > > > > > parsonstech.com.    172800    IN    NS    ns1617.ztomy.com.
> > > > > >
> > > > > > ;; Query time: 286 msec
> > > > > > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > > > > > ;; WHEN: Thu Jun 20 19:16:25 2013
> > > > > > ;; MSG SIZE  rcvd: 81
> > > > > >
> > > > > > - ferg
> > > > > >
> > > > > > On Thu, Jun 20, 2013 at 10:13 AM, Phil Fagan <philfagan () gmail com>
> > > > > wrote:
> > > > > > > I should caveat.....coordinate the "recovery" of.
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth
> > > > > > > <brandon () rd bbc co uk>wrote:
> > > > > > >
> > > > > > > > > Is there an organization that coordinates outages like this
> > amongst
> > > > > > the
> > > > > > > > > industry?
> > > > > > > >
> > > > > > > > No, usually they are surprise outages though Anonymous have tried
> > > > > > > > coordinating a few
> > > > > > > >
> > > > > > > > brandon
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Phil Fagan
> > > > > > > Denver, CO
> > > > > > > 970-480-7618
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > "Fergie", a.k.a. Paul Ferguson
> > > > > > fergdawgster(at)gmail.com
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Phil Fagan
> > > > > Denver, CO
> > > > > 970-480-7618
>
>
> --
> -george william herbert
> george.herbert () gmail com