Need help in flushing DNS

Glen Kent glen.kent at gmail.com
Sat Jun 22 00:22:11 UTC 2013


Hi,

Do we know which DNS server started leaking the poisoned entry?

Being new to this, i still dont understand how could a hacker gain access
to the DNS server and corrupt the entry there? Wouldnt it require special
admin rights, etc. to log in?

Glen


On Thu, Jun 20, 2013 at 11:32 AM, Paul Ferguson <fergdawgster at gmail.com>wrote:

> Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I
> have no idea where the poison leaked in, or why. :-)
>
> - ferg
>
> On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.buie at frozenfeline.net>
> wrote:
>
> > Anyone have news/explanation about what's happening/happened?
> >
> >
> > On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <fergdawgster at gmail.com
> >wrote:
> >
> >> Sure enough:
> >>
> >>
> >>
> >>  ; <<>> DiG 9.7.3 <<>> @localhost yelp.com A
> >>  ; (1 server found)
> >>  ;; global options: +cmd
> >>  ;; Got answer:
> >>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267
> >>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> >>
> >>  ;; QUESTION SECTION:
> >>  ;yelp.com. IN A
> >>
> >>  ;; ANSWER SECTION:
> >>  yelp.com. 300 IN A 204.11.56.20
> >>
> >>  ;; Query time: 143 msec
> >>  ;; SERVER: 127.0.0.1#53(127.0.0.1)
> >>  ;; WHEN: Thu Jun 20 07:33:13 2013
> >>  ;; MSG SIZE  rcvd: 42
> >>
> >>
> >>
> >>
> >>
> >> NetRange: 204.11.56.0 - 204.11.59.255
> >> CIDR: 204.11.56.0/22
> >> OriginAS: AS40034
> >> NetName: CONFLUENCE-NETWORKS--TX3
> >> NetHandle: NET-204-11-56-0-1
> >> Parent: NET-204-0-0-0-0
> >> NetType: Direct Allocation
> >> Comment: Hosted in Austin TX.
> >> Comment: Abuse :
> >> Comment: abuse at confluence-networks.com
> >> Comment: +1-917-386-6118
> >> RegDate: 2012-09-24
> >> Updated: 2012-09-24
> >> Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
> >>
> >> OrgName: Confluence Networks Inc
> >> OrgId: CN
> >> Address: 3rd Floor, Omar Hodge Building, Wickhams
> >> Address: Cay I, P.O. Box 362
> >> City: Road Town
> >> StateProv: Tortola
> >> PostalCode: VG1110
> >> Country: VG
> >> RegDate: 2011-04-07
> >> Updated: 2011-07-05
> >> Ref: http://whois.arin.net/rest/org/CN
> >>
> >> OrgAbuseHandle: ABUSE3065-ARIN
> >> OrgAbuseName: Abuse Admin
> >> OrgAbusePhone: +1-917-386-6118
> >> OrgAbuseEmail: abuse at confluence-networks.com
> >> OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
> >>
> >> OrgNOCHandle: NOCAD51-ARIN
> >> OrgNOCName: NOC Admin
> >> OrgNOCPhone: +1-415-462-7734
> >> OrgNOCEmail: noc at confluence-networks.com
> >> OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
> >>
> >> OrgTechHandle: TECHA29-ARIN
> >> OrgTechName: Tech Admin
> >> OrgTechPhone: +1-415-358-0858
> >> OrgTechEmail: ipadmin at confluence-networks.com
> >> OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
> >>
> >>
> >> #
> >> # ARIN WHOIS data and services are subject to the Terms of Use
> >> # available at: https://www.arin.net/whois_tou.html
> >> #
> >>
> >> - ferg
> >>
> >>
> >>
> >> On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <shortdudey123 at gmail.com
> >
> >> wrote:
> >>
> >> > Yelp is evidently also affected
> >> >
> >> > On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl at iecc.com> wrote:
> >> >
> >> >> >Reaching out to DNS operators around the globe. Linkedin.com has had
> >> some
> >> >> issues with DNS
> >> >> >and would like DNS operators to flush their DNS. If you see
> >> >> www.linkedin.com resolving NS to
> >> >> >ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
> >> >> >
> >> >> >Any other info please reach out to me off-list.
> >> >>
> >> >> While you're at it, www.usps.com, www.fidelity.com, and other well
> >> >> known sites have had DNS poisoning problems.  When I restarted my
> >> >> cache, they look OK.
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
> >> --
> >> "Fergie", a.k.a. Paul Ferguson
> >>  fergdawgster(at)gmail.com
> >>
> >>
>
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  fergdawgster(at)gmail.com
>
>



More information about the NANOG mailing list