[nsp-sec] (AS33626 - upstreams AS701, AS2914, AS3356, AS27524) ns1.dsredirection.com and ns2.dsredirection.com - Might be 0wned?!??!?
Chris Morrow
morrowc at ops-netman.net
Mon May 12 10:54:21 EDT 2008
On Mon, 12 May 2008, Tino Steward wrote:
> ----------- nsp-security Confidential --------
>
> 2914 ack'd
> On Thu, May 08, 2008 at 04:49:00PM -0500, Brian Eckman wrote:
>> ----------- nsp-security Confidential --------
>>
>> Two nameservers are being used to return the IP address 208.73.212.12 for
>> any query. Earlier today, the RUS-CERT Passive DNS Database reportedly (a
>> trusted source told me) knew of only one name for that IP address. Now it
>> knows well over 500 (and probably over 1,000).
>>
>> AS | IP | AS Name
>> 33626 | 204.13.160.15 | OVERSEE-DOT-NET - Oversee.net
>> 33626 | 204.13.161.15 | OVERSEE-DOT-NET - Oversee.net
>> 33626 | 208.73.212.12 | OVERSEE-DOT-NET - Oversee.net
>>
>> obvious typo-squatting, such as gmal.com (gmail), wikipeda.org (wikipedia),
>> and such.
>>
>> This stinks really badly - but I don't have solid proof of massive evilness
>> outside of what I've presented thus far. Can anyone (Cymru, perhaps?) look
>> into it some more - I gotta get home for parent duties...
so.. oversee is a domain squatter... this I think is the same situation as
that obnoxious NS set in njiix.net that has a wildcard for . :( this works
well (kinda) until someone accidently points your domain at it, or your
resolv.conf :(
-Chris
More information about the nsp-security
mailing list