[nsp-sec] (AS33626 - upstreams AS701, AS2914, AS3356, AS27524) ns1.dsredirection.com and ns2.dsredirection.com - Might be 0wned?!??!?

Brian Allen ballen at wustl.edu
Thu May 8 18:13:54 EDT 2008 

Ah ha, found them in my history.  These two hostnames were in the Univ
of Auckland's passive dns for 208.73.212.12 at 2:30pm Central today:
almbarcoz.info, majzufaiuq.info

RUS-CERT only had almbarcoz.info listed.

I checked my dns logs a few minutes after 2:30pm and found gmal.com and
searchportal.information.com which both of which resolved to
208.73.212.12.  Now there are a ton as BrianE reported.

I'm waiting on sending out infected notices to my admins until I can
gather more info, but I've got a decent amount of traffic to
208.73.212.12, probably 38 machines or so.

Thanks,
Brian Allen
Network Security Analyst
Washington University

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Brian Eckman
> Sent: Thursday, May 08, 2008 4:49 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] (AS33626 - upstreams AS701, AS2914, AS3356,
AS27524)
> ns1.dsredirection.com and ns2.dsredirection.com - Might be 0wned?!??!?
> 
> ----------- nsp-security Confidential --------
> 
> Two nameservers are being used to return the IP address 208.73.212.12
> for
> any query. Earlier today, the RUS-CERT Passive DNS Database reportedly
> (a
> trusted source told me) knew of only one name for that IP address. Now
> it
> knows well over 500 (and probably over 1,000).
> 
> 500 names pointing to it:
> http://cert.uni-stuttgart.de/stats/dns-
> replication.php?query=208.73.212.12&submit=Query
> 
> Other evidence:
> 
>  > nslookup www.google.com NS1.DSREDIRECTION.COM
> Server:         NS1.DSREDIRECTION.COM
> Address:        204.13.160.15#53
> 
> Name:   www.google.com
> Address: 208.73.212.12
> 
>  > host NS1.DSREDIRECTION.COM
> NS1.DSREDIRECTION.COM has address 204.13.160.15
> 
>  > host NS2.DSREDIRECTION.COM
> NS2.DSREDIRECTION.COM has address 204.13.161.15
> 
> 
> AS      | IP               | AS Name
> 33626   | 204.13.160.15    | OVERSEE-DOT-NET - Oversee.net
> 33626   | 204.13.161.15    | OVERSEE-DOT-NET - Oversee.net
> 33626   | 208.73.212.12    | OVERSEE-DOT-NET - Oversee.net
> 
> PEER_AS | IP               | AS Name
> 701     | 204.13.161.15    | UUNET - MCI Communications Services, Inc.
> d/b/a
> Verizon Business
> 2914    | 204.13.161.15    | NTT-COMMUNICATIONS-2914 - NTT America,
> Inc.
> 3356    | 204.13.161.15    | LEVEL3 Level 3 Communications
> 27524   | 204.13.161.15    | XEEX-COMMUNICATIONS - Xeex
> 
> 
> Many of the domain names using ns1.dsredirection.com and
> ns2.dsredirection.com as authoritative are shady looking - a number
are
> obvious typo-squatting, such as gmal.com (gmail), wikipeda.org
> (wikipedia),
> and such.
> 
> This stinks really badly - but I don't have solid proof of massive
> evilness
> outside of what I've presented thus far. Can anyone (Cymru, perhaps?)
> look
> into it some more - I gotta get home for parent duties...
> 
> Thanks,
> Brian
> --
> Brian Eckman, Security Analyst
> University of Minnesota
> Office of Information Technology
> Security & Assurance
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet
security
> counter-measures.
> _______________________________________________

More information about the nsp-security mailing list