The indications and claim are that the root cause was registrar internal
goof, not hostile action against name servers.

The story is not yet detailed enough to add up; getting from point A to
point B requires steps that so far don't really make sense.  A more
detailed explanation is hopefully to be forthcoming...



On Fri, Jun 21, 2013 at 5:22 PM, Glen Kent <glen.k...@gmail.com> wrote:

> Hi,
>
> Do we know which DNS server started leaking the poisoned entry?
>
> Being new to this, i still dont understand how could a hacker gain access
> to the DNS server and corrupt the entry there? Wouldnt it require special
> admin rights, etc. to log in?
>
> Glen
>
>
> On Thu, Jun 20, 2013 at 11:32 AM, Paul Ferguson <fergdawgs...@gmail.com
> >wrote:
>
> > Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I
> > have no idea where the poison leaked in, or why. :-)
> >
> > - ferg
> >
> > On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.b...@frozenfeline.net>
> > wrote:
> >
> > > Anyone have news/explanation about what's happening/happened?
> > >
> > >
> > > On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <
> fergdawgs...@gmail.com
> > >wrote:
> > >
> > >> Sure enough:
> > >>
> > >>
> > >>
> > >>  ; <<>> DiG 9.7.3 <<>> @localhost yelp.com A
> > >>  ; (1 server found)
> > >>  ;; global options: +cmd
> > >>  ;; Got answer:
> > >>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267
> > >>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> > >>
> > >>  ;; QUESTION SECTION:
> > >>  ;yelp.com. IN A
> > >>
> > >>  ;; ANSWER SECTION:
> > >>  yelp.com. 300 IN A 204.11.56.20
> > >>
> > >>  ;; Query time: 143 msec
> > >>  ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > >>  ;; WHEN: Thu Jun 20 07:33:13 2013
> > >>  ;; MSG SIZE  rcvd: 42
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> NetRange: 204.11.56.0 - 204.11.59.255
> > >> CIDR: 204.11.56.0/22
> > >> OriginAS: AS40034
> > >> NetName: CONFLUENCE-NETWORKS--TX3
> > >> NetHandle: NET-204-11-56-0-1
> > >> Parent: NET-204-0-0-0-0
> > >> NetType: Direct Allocation
> > >> Comment: Hosted in Austin TX.
> > >> Comment: Abuse :
> > >> Comment: ab...@confluence-networks.com
> > >> Comment: +1-917-386-6118
> > >> RegDate: 2012-09-24
> > >> Updated: 2012-09-24
> > >> Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
> > >>
> > >> OrgName: Confluence Networks Inc
> > >> OrgId: CN
> > >> Address: 3rd Floor, Omar Hodge Building, Wickhams
> > >> Address: Cay I, P.O. Box 362
> > >> City: Road Town
> > >> StateProv: Tortola
> > >> PostalCode: VG1110
> > >> Country: VG
> > >> RegDate: 2011-04-07
> > >> Updated: 2011-07-05
> > >> Ref: http://whois.arin.net/rest/org/CN
> > >>
> > >> OrgAbuseHandle: ABUSE3065-ARIN
> > >> OrgAbuseName: Abuse Admin
> > >> OrgAbusePhone: +1-917-386-6118
> > >> OrgAbuseEmail: ab...@confluence-networks.com
> > >> OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
> > >>
> > >> OrgNOCHandle: NOCAD51-ARIN
> > >> OrgNOCName: NOC Admin
> > >> OrgNOCPhone: +1-415-462-7734
> > >> OrgNOCEmail: n...@confluence-networks.com
> > >> OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
> > >>
> > >> OrgTechHandle: TECHA29-ARIN
> > >> OrgTechName: Tech Admin
> > >> OrgTechPhone: +1-415-358-0858
> > >> OrgTechEmail: ipad...@confluence-networks.com
> > >> OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
> > >>
> > >>
> > >> #
> > >> # ARIN WHOIS data and services are subject to the Terms of Use
> > >> # available at: https://www.arin.net/whois_tou.html
> > >> #
> > >>
> > >> - ferg
> > >>
> > >>
> > >>
> > >> On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <
> shortdudey...@gmail.com
> > >
> > >> wrote:
> > >>
> > >> > Yelp is evidently also affected
> > >> >
> > >> > On Wed, Jun 19, 2013 at 10:19 PM, John Levine <jo...@iecc.com>
> wrote:
> > >> >
> > >> >> >Reaching out to DNS operators around the globe. Linkedin.com has
> had
> > >> some
> > >> >> issues with DNS
> > >> >> >and would like DNS operators to flush their DNS. If you see
> > >> >> www.linkedin.com resolving NS to
> > >> >> >ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
> > >> >> >
> > >> >> >Any other info please reach out to me off-list.
> > >> >>
> > >> >> While you're at it, www.usps.com, www.fidelity.com, and other well
> > >> >> known sites have had DNS poisoning problems.  When I restarted my
> > >> >> cache, they look OK.
> > >> >>
> > >> >>
> > >> >>
> > >>
> > >>
> > >>
> > >> --
> > >> "Fergie", a.k.a. Paul Ferguson
> > >>  fergdawgster(at)gmail.com
> > >>
> > >>
> >
> >
> >
> > --
> > "Fergie", a.k.a. Paul Ferguson
> >  fergdawgster(at)gmail.com
> >
> >
>



-- 
-george william herbert
george.herb...@gmail.com

Reply via email to