[nsp-sec] (AS33626 - upstreams AS701, AS2914, AS3356, AS27524) ns1.dsredirection.com and ns2.dsredirection.com - Might be 0wned?!??!?

Tino Steward tsteward at us.ntt.net
Mon May 12 09:58:30 EDT 2008 

2914 ack'd
On Thu, May 08, 2008 at 04:49:00PM -0500, Brian Eckman wrote:
> ----------- nsp-security Confidential --------
> 
> Two nameservers are being used to return the IP address 208.73.212.12 for 
> any query. Earlier today, the RUS-CERT Passive DNS Database reportedly (a 
> trusted source told me) knew of only one name for that IP address. Now it 
> knows well over 500 (and probably over 1,000).
> 
> 500 names pointing to it:
> http://cert.uni-stuttgart.de/stats/dns-replication.php?query=208.73.212.12&submit=Query
> 
> Other evidence:
> 
>  > nslookup www.google.com NS1.DSREDIRECTION.COM
> Server:         NS1.DSREDIRECTION.COM
> Address:        204.13.160.15#53
> 
> Name:   www.google.com
> Address: 208.73.212.12
> 
>  > host NS1.DSREDIRECTION.COM
> NS1.DSREDIRECTION.COM has address 204.13.160.15
> 
>  > host NS2.DSREDIRECTION.COM
> NS2.DSREDIRECTION.COM has address 204.13.161.15
> 
> 
> AS      | IP               | AS Name
> 33626   | 204.13.160.15    | OVERSEE-DOT-NET - Oversee.net
> 33626   | 204.13.161.15    | OVERSEE-DOT-NET - Oversee.net
> 33626   | 208.73.212.12    | OVERSEE-DOT-NET - Oversee.net
> 
> PEER_AS | IP               | AS Name
> 701     | 204.13.161.15    | UUNET - MCI Communications Services, Inc. d/b/a 
> Verizon Business
> 2914    | 204.13.161.15    | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3356    | 204.13.161.15    | LEVEL3 Level 3 Communications
> 27524   | 204.13.161.15    | XEEX-COMMUNICATIONS - Xeex
> 
> 
> Many of the domain names using ns1.dsredirection.com and 
> ns2.dsredirection.com as authoritative are shady looking - a number are 
> obvious typo-squatting, such as gmal.com (gmail), wikipeda.org (wikipedia), 
> and such.
> 
> This stinks really badly - but I don't have solid proof of massive evilness 
> outside of what I've presented thus far. Can anyone (Cymru, perhaps?) look 
> into it some more - I gotta get home for parent duties...
> 
> Thanks,
> Brian
> -- 
> Brian Eckman, Security Analyst
> University of Minnesota
> Office of Information Technology
> Security & Assurance
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-- 

Tino T. Steward SNA1 - Security & Abuse	                                     tsteward at us.ntt.net
NTT Communications Global IP Network Operations Center                       
214-853-7344 (Ph.)                                                           214.800.7771 (Fax) 

AUP online: http://www.nttamerica.com/legal/internet/acceptable_policy.html 
AUP online: http://www.ntt.net/library/pdf/AUP.pdf 

Check http://www.cert.org for some of the latest documented exploits and your OS manufacturer for the latest security patches.

Intruder detection: http://www.cert.org/tech_tips/intruder_detection_checklist.html

Latest viruses: http://www.cert.org

Recovering from a compromised host: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

More information about the nsp-security mailing list