[nsp-sec] rogue dns servers - endpoint moved

Dave Woutersen (GOVCERT.NL) dave.woutersen at govcert.nl
Fri Jan 9 05:32:49 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Because of this behavior I send a mail to CAIW on the 22th of December.
However without any reply. I'll try to see if I can get in touch with
someone by phone but so far no luck. Problem is, this A record for bogus
names could be randomly chosen and that CAIW is just unlucky. But they
could at least check that IP and see what the host is being used for.

Dave

Jose Nazario wrote:
 > ----------- nsp-security Confidential --------
 >
 > currently scanning and inventorying the 85.255.112.0/20 block of rogue
 > dns servers. they all seem to point otherwise junk requests to this IP:
 >
 > 93.190.141.136
 >
 > eg:
 >
 > 85.255.113.146 ['2177667.1393088', 360, ['93.190.141.136']]
 > 85.255.113.147 ['764356.941801', 360, ['93.190.141.136']]
 > 85.255.113.148 ['110548.1659272', 360, ['93.190.141.136']]
 > 85.255.113.149 ['1800370.1681101', 360, ['93.190.141.136']]
 > 85.255.113.150 ['112756.1879187', 360, ['93.190.141.136']]
 >
 > (ns, query, ttl, A record result)
 >
 > AS      | IP               | AS Name
 > 15435   | 93.190.141.136   | KABELFOON CAIW Autonomous System
 >
 > redirects you via a frameset (for nothing queried in) to :
 >
 > hxxp://93.190.141.135/index.php
 >
 > AS      | IP               | AS Name
 > 15435   | 93.190.141.135   | KABELFOON CAIW Autonomous System
 >
 > and that gives you a 302 ...
 >
 > so far i don't see malcode there but i'm making sure i didn't miss
 > anything.
 >
 >
 > -------------------------------------------------------------
 > jose nazario, ph.d.         <jose at arbor.net> manager of security research
 >     arbor networks v: (734) 821 1427              
 > http://asert.arbor.net/
 >
 >
 > _______________________________________________
 > nsp-security mailing list
 > nsp-security at puck.nether.net
 > https://puck.nether.net/mailman/listinfo/nsp-security
 >
 > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
 > community. Confidentiality is essential for effective Internet security
 > counter-measures. _______________________________________________


- --
Dave Woutersen
security specialist

GOVCERT.NL
T +31 70 888 75 55
I www.govcert.nl
E dave.woutersen at govcert.nl

PGP Fingerprint: C87E 47E2 89D8 5DFB C86F  A3F3 1557 E2E9 AC15 7DD5

GOVCERT.NL is the Computer Emergency Response Team for the Dutch
Government. We support the government in preventing and dealing with
IT-related security incidents.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)

wj8DBQFJZyfMLrAiQf2dWv8RAnITAJ9Bijcxx+m2TeGExaSIaBNZ5CpkzwCdGXQt
55wJLECwqH4pEbZNgTblzUI=
=znaB
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list