[nsp-sec] Need help flushing DNS (view from PassiveDNS)

Zaid Ali zali at linkedin.com
Thu Jun 20 13:24:42 EDT 2013 

Just to clarify we don't think that this is a domain hijack in a traditional sense but rather a very bad error in NetSol database. Last night when I was writing my email seeking for help on flushing DNS servers we thought it was a malicious hijack, data points otherwise now. 

Zaid

Sent from my iPhone

On Jun 20, 2013, at 3:07 AM, "Eric Ziegast" <ziegast at isc.org> wrote:

> ----------- nsp-security Confidential --------
> 
> 
> On 6/19/13 7:03 PM, Zaid Ali wrote:
>> Folks, around 5PM PT www.linkedin.com domain got hijacked at
>> Network Solutions. We have rectified the situation but need help
>> from ISP's to flush their DNS. Particularly ATT if anyone from
>> there is on this list or has a contact. Any help would be
>> appreciated.
>> 
>> Thanks, Zaid
> 
> If anyone is flushing caches, please flush NS records for both:
>  linkedin.com
>  licdn.com
> 
> The NS records from the Verisign COM nameservers with a 2-day TTL is
> what's most toxic.  The rest will work itself out with quick TTL
> expiration tonight.  They had lots of other records like
> mail.linkedin.com and static.licdn.com pointing to their IP
> (204.11.56.17) for a while.  There was a glob for "*.linkedin.com"
> that was catching everything in linkedin.com.
> 
> If anyone has the ability to redirect DNS (eg: BIND RPZ, Xerocole,
> Nominum), I don't see anything good served by the following
> identifiers used in this attack:
> 
>     NS    ns1617.ztomy.com.
>     NS    ns2617.ztomy.com.
> 
>     A     204.11.56.17
> 
> ... so you might want to add that to your local overrides.
> 
> Interestingly, the IP 204.11.56.17 is now pointing people back to
> one of linkedin.com's older IPs (216.52.242.80) while the correct
> address is 216.52.242.86, so you may be able to detect people still
> affected that way.
> 
> I don't know how popular "dog.com" is, but it was also hijacked.
> The domain "cri.com" and some other domains are still hijacked.
> 
> --
> Eric Ziegast
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list