This is a coordinated hacking. (Was Re: Need help in flushing DNS)

Thu Jun 20 20:14:00 UTC 2013

Poisoning a domain's NS records with localhost will most certainly DOS the
domain, yes.

I have not yet seen the source of this; if anyone has a clue where the
updates are coming from please post the info.

Is there anything about ztomy.com that has been seen that's supicious as in
they might be the origin?  This could be them, or could be a joe-job
against them.  I do not want to point a finger lacking any sort of actual
data dump of the poisoning activity...

On Thu, Jun 20, 2013 at 1:02 PM, jamie rishaw <j at arpa.com> wrote:

> I'm rechecking realtime ns1620/2620 DNS right now and, looking at the
> output, I see an odd number of domains (that have changed) with a listed
> nameserver of "localhost.".
>
> Is this some sort of tactic I'm unaware of?
>
>
> On Thu, Jun 20, 2013 at 2:57 PM, Jared Mauch <jared at puck.nether.net>
> wrote:
>
> > It seems there may be a need for some sort of 'dns-health' check out
> there
> > that can be done in semi-realtime.
> >
> > I ran a report for someone earlier today on a domain doing an xref
> against
> > open resolver data searching for valid responses vs invalid ones.
> >
> > Is this of value?  Does it need to be automated?
> >
> > - Jared
> >
> > On Jun 20, 2013, at 3:53 PM, jamie rishaw <j at arpa.com> wrote:
> >
> > > This is most definitely a coordinated and planned attack.
> > >
> > > And by 'attack' I mean hijacking of domain names.
> > >
> > > I show as of this morning nearly fifty thousand domain names that
> appear
> > > suspicious.
> > >
> > > I'm tempted to call uscentcom and/or related agencies (which agencies,
> > who
> > > the hell knows, as ICE seems to have some sort of authority over
> domains
> > > (nearly two hundred fifty of them as I type this in COM alone and
> another
> > > thirty-some in NET).
> > >
> > > Anyone credentialed (credentialed /n/., "I know you or know of you,")
> > > wanting data, e-mail me off-list for some TLD goodness.
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Thu, Jun 20, 2013 at 12:29 PM, Phil Fagan <philfagan at gmail.com>
> > wrote:
> > >
> > >> Agree'd in these "smaller" scenario's I just wonder if in a larger
> scale
> > >> scenario, whatever that might look like, if its necessary. Whereby
> many
> > >> organizations who provide "services" are effected. Perhaps the result
> > of a
> > >> State led campaign ....topic for another day.
> > >>
> > >>
> > >>
> > >>
> > >> On Thu, Jun 20, 2013 at 11:25 AM, Paul Ferguson <
> fergdawgster at gmail.com
> > >>> wrote:
> > >>
> > >>> I am betting that Netsol doesn't need any more "coordination" at the
> > >>> moment -- their phones are probably ringing off-the-hook. There are
> > >>> still ~400 domains still pointing to the ztomy NS:
> > >>>
> > >>>
> > >>> ; <<>> DiG 9.7.3 <<>> @foohost parsonstech.com NS
> > >>> ; (1 server found)
> > >>> ;; global options: +cmd
> > >>> ;; Got answer:
> > >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49064
> > >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> > >>>
> > >>> ;; QUESTION SECTION:
> > >>> ;parsonstech.com.        IN    NS
> > >>>
> > >>> ;; ANSWER SECTION:
> > >>> parsonstech.com.    172800    IN    NS    ns2617.ztomy.com.
> > >>> parsonstech.com.    172800    IN    NS    ns1617.ztomy.com.
> > >>>
> > >>> ;; Query time: 286 msec
> > >>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > >>> ;; WHEN: Thu Jun 20 19:16:25 2013
> > >>> ;; MSG SIZE  rcvd: 81
> > >>>
> > >>> - ferg
> > >>>
> > >>> On Thu, Jun 20, 2013 at 10:13 AM, Phil Fagan <philfagan at gmail.com>
> > >> wrote:
> > >>>
> > >>>> I should caveat.....coordinate the "recovery" of.
> > >>>>
> > >>>>
> > >>>> On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth
> > >>>> <brandon at rd.bbc.co.uk>wrote:
> > >>>>
> > >>>>>> Is there an organization that coordinates outages like this
> amongst
> > >>> the
> > >>>>>> industry?
> > >>>>>
> > >>>>> No, usually they are surprise outages though Anonymous have tried
> > >>>>> coordinating a few
> > >>>>>
> > >>>>> brandon
> > >>>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> --
> > >>>> Phil Fagan
> > >>>> Denver, CO
> > >>>> 970-480-7618
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> "Fergie", a.k.a. Paul Ferguson
> > >>> fergdawgster(at)gmail.com
> > >>>
> > >>
> > >>
> > >>
> > >> --
> > >> Phil Fagan
> > >> Denver, CO
> > >> 970-480-7618
> > >>
> > >
> > >
> > >
> > > --
> > > Jamie Rishaw // .com.arpa at j <- reverse it. ish.
> > > [Impressive C-level Title Here], arpa / arpa labs
> >
> >
>
>
> --
> Jamie Rishaw // .com.arpa at j <- reverse it. ish.
> [Impressive C-level Title Here], arpa / arpa labs
>

-- 
-george william herbert
george.herbert at gmail.com