[nsp-sec] rogue dns servers - endpoint moved
Jose Nazario
jose at arbor.net
Thu Jan 8 15:34:01 EST 2009
currently scanning and inventorying the 85.255.112.0/20 block of rogue dns
servers. they all seem to point otherwise junk requests to this IP:
93.190.141.136
eg:
85.255.113.146 ['2177667.1393088', 360, ['93.190.141.136']]
85.255.113.147 ['764356.941801', 360, ['93.190.141.136']]
85.255.113.148 ['110548.1659272', 360, ['93.190.141.136']]
85.255.113.149 ['1800370.1681101', 360, ['93.190.141.136']]
85.255.113.150 ['112756.1879187', 360, ['93.190.141.136']]
(ns, query, ttl, A record result)
AS | IP | AS Name
15435 | 93.190.141.136 | KABELFOON CAIW Autonomous System
redirects you via a frameset (for nothing queried in) to :
hxxp://93.190.141.135/index.php
AS | IP | AS Name
15435 | 93.190.141.135 | KABELFOON CAIW Autonomous System
and that gives you a 302 ...
so far i don't see malcode there but i'm making sure i didn't miss
anything.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
manager of security research arbor networks
v: (734) 821 1427 http://asert.arbor.net/
More information about the nsp-security
mailing list