Wait, wait. whois doesnt jive with dns.
.. Conspiracy Theory Hat On : - Did someone gain access to the COM dispersion zone, or parts thereof? - Did someone figure out how to [ insert theory here ] ? I'm looking at domains that were solidly pointing at ztomy at 2:30AM (that are 'recovered' to other nameservers) that show no "updates" in `whois` records. Curiouser and curiouser. Paul? ---------- Forwarded message ---------- From: jamie rishaw <j...@arpa.com> Date: Thu, Jun 20, 2013 at 3:21 PM Subject: Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) To: George Herbert <george.herb...@gmail.com> Cc: Jared Mauch <ja...@puck.nether.net>, NANOG <nanog@nanog.org> It's not poisoning. They somehow were able to modify the NS records; one would presume, at the registrar/s. As far as the logic of the DNS, it is functioning as designed (What's up, Vix!) - There's another aspect of this that caused this situation. Any Alexa or similar people on this list (Goog PR, etc)? I'd love to bulk submit a domain list for some analytics. Contact me off list. On Thu, Jun 20, 2013 at 3:14 PM, George Herbert <george.herb...@gmail.com>wrote: > Poisoning a domain's NS records with localhost will most certainly DOS the > domain, yes. > > I have not yet seen the source of this; if anyone has a clue where the > updates are coming from please post the info. > > Is there anything about ztomy.com that has been seen that's supicious as > in they might be the origin? This could be them, or could be a joe-job > against them. I do not want to point a finger lacking any sort of actual > data dump of the poisoning activity... > > > > > On Thu, Jun 20, 2013 at 1:02 PM, jamie rishaw <j...@arpa.com> wrote: > >> I'm rechecking realtime ns1620/2620 DNS right now and, looking at the >> output, I see an odd number of domains (that have changed) with a listed >> nameserver of "localhost.". >> >> Is this some sort of tactic I'm unaware of? >> >> >> On Thu, Jun 20, 2013 at 2:57 PM, Jared Mauch <ja...@puck.nether.net> >> wrote: >> >> > It seems there may be a need for some sort of 'dns-health' check out >> there >> > that can be done in semi-realtime. >> > >> > I ran a report for someone earlier today on a domain doing an xref >> against >> > open resolver data searching for valid responses vs invalid ones. >> > >> > Is this of value? Does it need to be automated? >> > >> > - Jared >> > >> > On Jun 20, 2013, at 3:53 PM, jamie rishaw <j...@arpa.com> wrote: >> > >> > > This is most definitely a coordinated and planned attack. >> > > >> > > And by 'attack' I mean hijacking of domain names. >> > > >> > > I show as of this morning nearly fifty thousand domain names that >> appear >> > > suspicious. >> > > >> > > I'm tempted to call uscentcom and/or related agencies (which agencies, >> > who >> > > the hell knows, as ICE seems to have some sort of authority over >> domains >> > > (nearly two hundred fifty of them as I type this in COM alone and >> another >> > > thirty-some in NET). >> > > >> > > Anyone credentialed (credentialed /n/., "I know you or know of you,") >> > > wanting data, e-mail me off-list for some TLD goodness. >> > > >> > > >> > > >> > > >> > > >> > > >> > > On Thu, Jun 20, 2013 at 12:29 PM, Phil Fagan <philfa...@gmail.com> >> > wrote: >> > > >> > >> Agree'd in these "smaller" scenario's I just wonder if in a larger >> scale >> > >> scenario, whatever that might look like, if its necessary. Whereby >> many >> > >> organizations who provide "services" are effected. Perhaps the result >> > of a >> > >> State led campaign ....topic for another day. >> > >> >> > >> >> > >> >> > >> >> > >> On Thu, Jun 20, 2013 at 11:25 AM, Paul Ferguson < >> fergdawgs...@gmail.com >> > >>> wrote: >> > >> >> > >>> I am betting that Netsol doesn't need any more "coordination" at the >> > >>> moment -- their phones are probably ringing off-the-hook. There are >> > >>> still ~400 domains still pointing to the ztomy NS: >> > >>> >> > >>> >> > >>> ; <<>> DiG 9.7.3 <<>> @foohost parsonstech.com NS >> > >>> ; (1 server found) >> > >>> ;; global options: +cmd >> > >>> ;; Got answer: >> > >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49064 >> > >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 >> > >>> >> > >>> ;; QUESTION SECTION: >> > >>> ;parsonstech.com. IN NS >> > >>> >> > >>> ;; ANSWER SECTION: >> > >>> parsonstech.com. 172800 IN NS ns2617.ztomy.com. >> > >>> parsonstech.com. 172800 IN NS ns1617.ztomy.com. >> > >>> >> > >>> ;; Query time: 286 msec >> > >>> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> > >>> ;; WHEN: Thu Jun 20 19:16:25 2013 >> > >>> ;; MSG SIZE rcvd: 81 >> > >>> >> > >>> - ferg >> > >>> >> > >>> On Thu, Jun 20, 2013 at 10:13 AM, Phil Fagan <philfa...@gmail.com> >> > >> wrote: >> > >>> >> > >>>> I should caveat.....coordinate the "recovery" of. >> > >>>> >> > >>>> >> > >>>> On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth >> > >>>> <bran...@rd.bbc.co.uk>wrote: >> > >>>> >> > >>>>>> Is there an organization that coordinates outages like this >> amongst >> > >>> the >> > >>>>>> industry? >> > >>>>> >> > >>>>> No, usually they are surprise outages though Anonymous have tried >> > >>>>> coordinating a few >> > >>>>> >> > >>>>> brandon >> > >>>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> -- >> > >>>> Phil Fagan >> > >>>> Denver, CO >> > >>>> 970-480-7618 >> > >>> >> > >>> >> > >>> >> > >>> -- >> > >>> "Fergie", a.k.a. Paul Ferguson >> > >>> fergdawgster(at)gmail.com >> > >>> >> > >> >> > >> >> > >> >> > >> -- >> > >> Phil Fagan >> > >> Denver, CO >> > >> 970-480-7618 >> > >> >> > > >> > > >> > > > -- > -george william herbert > george.herb...@gmail.com >
