The indications and claim are that the root cause was registrar internal goof, not hostile action against name servers.
The story is not yet detailed enough to add up; getting from point A to point B requires steps that so far don't really make sense. A more detailed explanation is hopefully to be forthcoming... On Fri, Jun 21, 2013 at 5:22 PM, Glen Kent <glen.k...@gmail.com> wrote: > Hi, > > Do we know which DNS server started leaking the poisoned entry? > > Being new to this, i still dont understand how could a hacker gain access > to the DNS server and corrupt the entry there? Wouldnt it require special > admin rights, etc. to log in? > > Glen > > > On Thu, Jun 20, 2013 at 11:32 AM, Paul Ferguson <fergdawgs...@gmail.com > >wrote: > > > Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I > > have no idea where the poison leaked in, or why. :-) > > > > - ferg > > > > On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.b...@frozenfeline.net> > > wrote: > > > > > Anyone have news/explanation about what's happening/happened? > > > > > > > > > On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson < > fergdawgs...@gmail.com > > >wrote: > > > > > >> Sure enough: > > >> > > >> > > >> > > >> ; <<>> DiG 9.7.3 <<>> @localhost yelp.com A > > >> ; (1 server found) > > >> ;; global options: +cmd > > >> ;; Got answer: > > >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267 > > >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > >> > > >> ;; QUESTION SECTION: > > >> ;yelp.com. IN A > > >> > > >> ;; ANSWER SECTION: > > >> yelp.com. 300 IN A 204.11.56.20 > > >> > > >> ;; Query time: 143 msec > > >> ;; SERVER: 127.0.0.1#53(127.0.0.1) > > >> ;; WHEN: Thu Jun 20 07:33:13 2013 > > >> ;; MSG SIZE rcvd: 42 > > >> > > >> > > >> > > >> > > >> > > >> NetRange: 204.11.56.0 - 204.11.59.255 > > >> CIDR: 204.11.56.0/22 > > >> OriginAS: AS40034 > > >> NetName: CONFLUENCE-NETWORKS--TX3 > > >> NetHandle: NET-204-11-56-0-1 > > >> Parent: NET-204-0-0-0-0 > > >> NetType: Direct Allocation > > >> Comment: Hosted in Austin TX. > > >> Comment: Abuse : > > >> Comment: ab...@confluence-networks.com > > >> Comment: +1-917-386-6118 > > >> RegDate: 2012-09-24 > > >> Updated: 2012-09-24 > > >> Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1 > > >> > > >> OrgName: Confluence Networks Inc > > >> OrgId: CN > > >> Address: 3rd Floor, Omar Hodge Building, Wickhams > > >> Address: Cay I, P.O. Box 362 > > >> City: Road Town > > >> StateProv: Tortola > > >> PostalCode: VG1110 > > >> Country: VG > > >> RegDate: 2011-04-07 > > >> Updated: 2011-07-05 > > >> Ref: http://whois.arin.net/rest/org/CN > > >> > > >> OrgAbuseHandle: ABUSE3065-ARIN > > >> OrgAbuseName: Abuse Admin > > >> OrgAbusePhone: +1-917-386-6118 > > >> OrgAbuseEmail: ab...@confluence-networks.com > > >> OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN > > >> > > >> OrgNOCHandle: NOCAD51-ARIN > > >> OrgNOCName: NOC Admin > > >> OrgNOCPhone: +1-415-462-7734 > > >> OrgNOCEmail: n...@confluence-networks.com > > >> OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN > > >> > > >> OrgTechHandle: TECHA29-ARIN > > >> OrgTechName: Tech Admin > > >> OrgTechPhone: +1-415-358-0858 > > >> OrgTechEmail: ipad...@confluence-networks.com > > >> OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN > > >> > > >> > > >> # > > >> # ARIN WHOIS data and services are subject to the Terms of Use > > >> # available at: https://www.arin.net/whois_tou.html > > >> # > > >> > > >> - ferg > > >> > > >> > > >> > > >> On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder < > shortdudey...@gmail.com > > > > > >> wrote: > > >> > > >> > Yelp is evidently also affected > > >> > > > >> > On Wed, Jun 19, 2013 at 10:19 PM, John Levine <jo...@iecc.com> > wrote: > > >> > > > >> >> >Reaching out to DNS operators around the globe. Linkedin.com has > had > > >> some > > >> >> issues with DNS > > >> >> >and would like DNS operators to flush their DNS. If you see > > >> >> www.linkedin.com resolving NS to > > >> >> >ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS. > > >> >> > > > >> >> >Any other info please reach out to me off-list. > > >> >> > > >> >> While you're at it, www.usps.com, www.fidelity.com, and other well > > >> >> known sites have had DNS poisoning problems. When I restarted my > > >> >> cache, they look OK. > > >> >> > > >> >> > > >> >> > > >> > > >> > > >> > > >> -- > > >> "Fergie", a.k.a. Paul Ferguson > > >> fergdawgster(at)gmail.com > > >> > > >> > > > > > > > > -- > > "Fergie", a.k.a. Paul Ferguson > > fergdawgster(at)gmail.com > > > > > -- -george william herbert george.herb...@gmail.com