Need help in flushing DNS

Sat Jun 22 00:29:40 UTC 2013

The indications and claim are that the root cause was registrar internal
goof, not hostile action against name servers.

The story is not yet detailed enough to add up; getting from point A to
point B requires steps that so far don't really make sense.  A more
detailed explanation is hopefully to be forthcoming...

On Fri, Jun 21, 2013 at 5:22 PM, Glen Kent <glen.kent at gmail.com> wrote:

> Hi,
>
> Do we know which DNS server started leaking the poisoned entry?
>
> Being new to this, i still dont understand how could a hacker gain access
> to the DNS server and corrupt the entry there? Wouldnt it require special
> admin rights, etc. to log in?
>
> Glen
>
>
> On Thu, Jun 20, 2013 at 11:32 AM, Paul Ferguson <fergdawgster at gmail.com
> >wrote:
>
> > Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I
> > have no idea where the poison leaked in, or why. :-)
> >
> > - ferg
> >
> > On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.buie at frozenfeline.net>
> > wrote:
> >
> > > Anyone have news/explanation about what's happening/happened?
> > >
> > >
> > > On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <
> fergdawgster at gmail.com
> > >wrote:
> > >
> > >> Sure enough:
> > >>
> > >>
> > >>
> > >>  ; <<>> DiG 9.7.3 <<>> @localhost yelp.com A
> > >>  ; (1 server found)
> > >>  ;; global options: +cmd
> > >>  ;; Got answer:
> > >>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267
> > >>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> > >>
> > >>  ;; QUESTION SECTION:
> > >>  ;yelp.com. IN A
> > >>
> > >>  ;; ANSWER SECTION:
> > >>  yelp.com. 300 IN A 204.11.56.20
> > >>
> > >>  ;; Query time: 143 msec
> > >>  ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > >>  ;; WHEN: Thu Jun 20 07:33:13 2013
> > >>  ;; MSG SIZE  rcvd: 42
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> NetRange: 204.11.56.0 - 204.11.59.255
> > >> CIDR: 204.11.56.0/22
> > >> OriginAS: AS40034
> > >> NetName: CONFLUENCE-NETWORKS--TX3
> > >> NetHandle: NET-204-11-56-0-1
> > >> Parent: NET-204-0-0-0-0
> > >> NetType: Direct Allocation
> > >> Comment: Hosted in Austin TX.
> > >> Comment: Abuse :
> > >> Comment: abuse at confluence-networks.com
> > >> Comment: +1-917-386-6118
> > >> RegDate: 2012-09-24
> > >> Updated: 2012-09-24
> > >> Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
> > >>
> > >> OrgName: Confluence Networks Inc
> > >> OrgId: CN
> > >> Address: 3rd Floor, Omar Hodge Building, Wickhams
> > >> Address: Cay I, P.O. Box 362
> > >> City: Road Town
> > >> StateProv: Tortola
> > >> PostalCode: VG1110
> > >> Country: VG
> > >> RegDate: 2011-04-07
> > >> Updated: 2011-07-05
> > >> Ref: http://whois.arin.net/rest/org/CN
> > >>
> > >> OrgAbuseHandle: ABUSE3065-ARIN
> > >> OrgAbuseName: Abuse Admin
> > >> OrgAbusePhone: +1-917-386-6118
> > >> OrgAbuseEmail: abuse at confluence-networks.com
> > >> OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
> > >>
> > >> OrgNOCHandle: NOCAD51-ARIN
> > >> OrgNOCName: NOC Admin
> > >> OrgNOCPhone: +1-415-462-7734
> > >> OrgNOCEmail: noc at confluence-networks.com
> > >> OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
> > >>
> > >> OrgTechHandle: TECHA29-ARIN
> > >> OrgTechName: Tech Admin
> > >> OrgTechPhone: +1-415-358-0858
> > >> OrgTechEmail: ipadmin at confluence-networks.com
> > >> OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
> > >>
> > >>
> > >> #
> > >> # ARIN WHOIS data and services are subject to the Terms of Use
> > >> # available at: https://www.arin.net/whois_tou.html
> > >> #
> > >>
> > >> - ferg
> > >>
> > >>
> > >>
> > >> On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <
> shortdudey123 at gmail.com
> > >
> > >> wrote:
> > >>
> > >> > Yelp is evidently also affected
> > >> >
> > >> > On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl at iecc.com>
> wrote:
> > >> >
> > >> >> >Reaching out to DNS operators around the globe. Linkedin.com has
> had
> > >> some
> > >> >> issues with DNS
> > >> >> >and would like DNS operators to flush their DNS. If you see
> > >> >> www.linkedin.com resolving NS to
> > >> >> >ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
> > >> >> >
> > >> >> >Any other info please reach out to me off-list.
> > >> >>
> > >> >> While you're at it, www.usps.com, www.fidelity.com, and other well
> > >> >> known sites have had DNS poisoning problems.  When I restarted my
> > >> >> cache, they look OK.
> > >> >>
> > >> >>
> > >> >>
> > >>
> > >>
> > >>
> > >> --
> > >> "Fergie", a.k.a. Paul Ferguson
> > >>  fergdawgster(at)gmail.com
> > >>
> > >>
> >
> >
> >
> > --
> > "Fergie", a.k.a. Paul Ferguson
> >  fergdawgster(at)gmail.com
> >
> >
>

-- 
-george william herbert
george.herbert at gmail.com