DNS Hijacking by Cox

• Previous message (by thread): DNS Hijacking by Cox
• Next message (by thread): DNS Hijacking by Cox
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey

Well I suppose that would get rid of some of the script kiddies bots off of their network...

http://www.dslreports.com/forum/remark,12922412
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016

Though...I cannot think of another means to achieve their goal. However I wonder how they generated what records to point to their servers. Is it simply anything with irc.* ? I suppose it would stop the script kiddies if they didn’t use their own unique DNS and specified a different port in the config before compiling. Typically zombies are set to listen to the topic commands in order to either continue a DDoS attack or like scan for other hosts to infect. This would prevent the bots from getting a valid command to start scanning or DDoS, or in this case .remove would remove the bot from their customers computer (unless the default command character was changed), so I suppose it gets what they want, DDoS's to not originate in their network + XDCC Bots being created from zombies etc etc, credit card, zombie bots can be set to listen for paypal information and credit card information etc...but at the same time causing problems for their customers who legitimately use IRC. If weighed, I believe their problems with DDoS bots is weighted more heavily then the few who legitimately use IRC. I suppose they can always use like psyBNC to connect to IRC.

I agree with their goal but not really the means they are using reach their goal. If they are going to manipulate DNS to do this...how far will they go with other problems?


Raymond Corbin
Support Analyst
HostMySite.com


(sorry if it this posted twice...outlook froze on me :( )


-----Original Message-----
From: owner-nanog at merit.edu on behalf of Andrew Matthews
Sent: Sun 7/22/2007 5:56 PM
To: nanog at merit.edu
Subject: DNS Hijacking by Cox
 

It looks like cox is hijacking dns for irc servers.


bash2-2.05b$ nslookup
> server 68.6.16.30
Default server: 68.6.16.30
Address: 68.6.16.30#53
> irc.vel.net
Server:         68.6.16.30
Address:        68.6.16.30#53

Name:   irc.vel.net
Address: 70.168.71.144




> server ns1.vel.net
Default server: ns1.vel.net
Address: 207.182.224.10#53
> irc.vel.net
Server:         ns1.vel.net
Address:        207.182.224.10#53

Name:   irc.vel.net
Address: 64.161.255.2

it looks like they are using it to clean drones, when you connect to
their fake irc server you get forced joined into a channel.

#martian_
	[INFO]	Channel view for "#martian_" opened.
	-->|	YOU (andrew.m) have joined #martian_
	=-=	Mode #martian_ +nt by localhost.localdomain
	=-=	Topic for #martian_ is ".bot.remove"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	=-=	Topic for #martian_ is ".remove"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	=-=	Topic for #martian_ is ".uninstall"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	=-=	Topic for #martian_ is "!bot.remove"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	=-=	Topic for #martian_ is "!remove"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	=-=	Topic for #martian_ is "!uninstall"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	<Marvin_>	.bot.remove
	<Marvin_>	.remove
	<Marvin_>	.uninstall
	<Marvin_>	!bot.remove
	<Marvin_>	!remove


isn't there a law against hijacking dns? What can i do to persue this?

• Previous message (by thread): DNS Hijacking by Cox
• Next message (by thread): DNS Hijacking by Cox
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]