Is This a Virus?

Edsonet administrator at yellowhead.com
Thu Aug 17 15:02:18 UTC 2000


I complained long ago about this situation long ago and couldn't get anyone
to listen. We have been hit twice, and both times the only common link was
webpower.com. The problem originates when a ficticious domain is registered
and points to a DNS that the hacker has access to. The hacker then somehow
loads the DNS records in the cache of the targeted DNS claiming to have
authority for the .com domain. When someone in your domain requests the
ficticious site, it then supplies a non-authoratative response to your DNS
and replaces the information in your cache for the .com domain. Any
subsequent requests to your DNS for a non-cached .com domain goes to one of
the webpower.com servers, which of course can't respond properly. The only
cure is to set your DNS to accept authoratative answers only.

The first time, I was able to actually duplicate the situation and
recovered the information below. The second time, the cache on the
offending DNS had been cleared before I could get to it.

J.A. Coutts
Systems Engineer
Edsonet/TravPro
---------- 6/13/2000 --------------------------------------------
16:15:07   Reply from 205.188.185.18 about A-record for www.natural38dds.com.:
16:15:07   -> Authority: NS-record for natural38dds.com. =
myifriendsns1.webpower.com.
16:15:07   -> Authority: NS-record for natural38dds.com. =
myifriendsns2.webpower.com.
16:15:07   -> Additional: A-record for myifriendsns1.webpower.com. =
204.180.135.105
16:15:07   -> Additional: A-record for myifriendsns2.webpower.com. =
207.76.82.105
16:15:07   Sending request to myifriendsns1.webpower.com. (204.180.135.105)
for A-record for www.natural38dds.com.
16:15:07   Reply from 204.180.135.105 about A-record for
www.natural38dds.com.:
16:15:07   -> Answer: A-record for www.natural38dds.com. = 204.180.135.105
16:15:07   -> Authority: NS-record for com. = com.
16:15:07   -> Additional: A-record for com. = 204.180.135.105
16:15:07   Sending reply to 207.34.82.6 about A-record for
www.natural38dds.com.:
16:15:07   -> Answer: A-record for www.natural38dds.com. = 204.180.135.105
16:15:07   -> Authority: NS-record for com. = com.
16:15:07   -> Additional: A-record for com. = 204.180.135.105

16:15:30   Request from 207.34.82.130 for A-record for store.traders.com.
16:15:30   Sending request to com. (204.180.135.105) for A-record for
store.traders.com.
16:15:30   Reply from 204.180.135.105 about A-record for store.traders.com.:
16:15:30   -> Header: Name does not exist!
16:15:30   -> Authority: SOA-record for com. = com. (Serial 92)
16:15:30   Sending reply to 207.34.82.130 about A-record for
store.traders.com.:
16:15:30   -> Header: Name does not exist!
16:15:30   -> Authority: SOA-record for com. = com. (Serial 92)
----------------------------------------------
Authoritative Answer: No
Recursion Available: Yes

Answer:
No SOA-Records exist for www.natural38dds.com

Authority:
SOA-record for com. = com.
    Responsible Person = root at com.
    Serial Number = 92
    Refresh Interval = 3 Hours
    Retry Interval = 15 Minutes
    Expire Interval = 7 Days
    Default / Minimum TTL = 1 Day
    TTL = 23 Hours, 59 Minutes, 43 Seconds
----------------------------------------------------

Authoritative Answer: No
Recursion Available: Yes

Answer:
No NS-Records exist for www.natural38dds.com

Authority:
SOA-record for com. = com.
    Responsible Person = root at com.
    Serial Number = 92
    Refresh Interval = 3 Hours
    Retry Interval = 15 Minutes
    Expire Interval = 7 Days
    Default / Minimum TTL = 1 Day
    TTL = 1 Day

----------------------------------------------------
Authoritative Answer: No
Recursion Available: Yes

Answer:
A-record for www.natural38dds.com. = 204.180.135.105
    TTL = 10 Seconds

Authority:
NS-record for com. = com.
    TTL = 1 Day

Additional:
A-record for com. = 204.180.135.105
    TTL = 1 Day
****************** SECOND INCIDENT ****************
-------------------- July 6, 2000 --------------------------
12:04:16   Sending request to ns2.escape.ca. (198.163.232.254) for A-record
for finelinecommunications.com.
12:04:16   Reply from 198.163.232.254 about A-record for
finelinecommunications.com.:
12:04:16   -> Authority: NS-record for com. = myifriendsns1.webpower.com.
12:04:16   -> Additional: A-record for myifriendsns1.webpower.com. =
204.180.135.105
12:04:17   ** Error: Lame delegation for finelinecommunications.com. on
ns2.escape.ca. (198.163.232.254)
12:04:17   Sending request to ns1.escape.ca. (198.163.232.253) for A-record
for finelinecommunications.com.
12:04:17   Reply from 198.163.232.253 about A-record for
finelinecommunications.com.:
12:04:17   -> Authority: NS-record for com. = myifriendsns1.webpower.com.
12:04:17   -> Additional: A-record for myifriendsns1.webpower.com. =
204.180.135.105
12:04:17   ** Error: Lame delegation for finelinecommunications.com. on
ns1.escape.ca. (198.163.232.253)
12:04:17   Sending reply to 207.34.82.5 about A-record for
finelinecommunications.com.:
12:04:17   -> Header: Server Failure.
----------------------------------------------





More information about the bind-users mailing list