[outages] nytime.com dns borked
james jones
james at freedomnet.co.nz
Tue Aug 27 17:43:34 EDT 2013
this is what I am seeing:
$ dig any nytimes.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> any nytimes.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55086
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;nytimes.com. IN ANY
;; ANSWER SECTION:
nytimes.com. 9945 IN A 141.105.64.37
nytimes.com. 81945 IN NS ns1.syrianelectronicarmy.com.
nytimes.com. 81945 IN NS ns2.syrianelectronicarmy.com.
;; AUTHORITY SECTION:
nytimes.com. 81945 IN NS ns2.syrianelectronicarmy.com.
nytimes.com. 81945 IN NS ns1.syrianelectronicarmy.com.
;; ADDITIONAL SECTION:
ns1.syrianelectronicarmy.com. 269 IN A 141.105.64.37
ns2.syrianelectronicarmy.com. 215 IN A 141.105.64.37
;; Query time: 1 msec
;; SERVER: 10.10.89.245#53(10.10.89.245)
;; WHEN: Tue Aug 27 17:42:34 2013
;; MSG SIZE rcvd: 162
On Tue, Aug 27, 2013 at 5:20 PM, staticsafe <me at staticsafe.ca> wrote:
> On Tue, Aug 27, 2013 at 02:09:26PM -0700, Grant Ridder wrote:
> > I think someone hijacked NYTimes dns...
> >
> >
> http://www.chicagotribune.com/business/technology/chi-new-york-times-website-20130827,0,3415996.story
> >
> >
> > Non-authoritative answer:
> > Name: nytimes.com
> > Address: 141.105.64.37
> >
> > ~~~
> > dig any nytimes.com
> >
> > ; <<>> DiG 9.8.3-P1 <<>> any nytimes.com
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15335
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
> >
> > ;; QUESTION SECTION:
> > ;nytimes.com. IN ANY
> >
> > ;; ANSWER SECTION:
> > nytimes.com. 11560 IN A 141.105.64.37
> > nytimes.com. 5 IN NS ns1.syrianelectronicarmy.com.
> > nytimes.com. 5 IN NS ns2.syrianelectronicarmy.com.
> >
> > ;; ADDITIONAL SECTION:
> > ns1.syrianelectronicarmy.com. 47 IN A 141.105.64.37
> > ns2.syrianelectronicarmy.com. 47 IN A 141.105.64.37
>
> Seems to have changed NSes again (still compromised, it seems):
>
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace nytimes.com
> ;; global options: +cmd
> . 518400 IN NS d.root-servers.net.
> . 518400 IN NS a.root-servers.net.
> . 518400 IN NS e.root-servers.net.
> . 518400 IN NS f.root-servers.net.
> . 518400 IN NS i.root-servers.net.
> . 518400 IN NS j.root-servers.net.
> . 518400 IN NS b.root-servers.net.
> . 518400 IN NS k.root-servers.net.
> . 518400 IN NS c.root-servers.net.
> . 518400 IN NS g.root-servers.net.
> . 518400 IN NS h.root-servers.net.
> . 518400 IN NS m.root-servers.net.
> . 518400 IN NS l.root-servers.net.
> ;; Received 512 bytes from ::1#53(::1) in 7 ms
>
> com. 172800 IN NS a.gtld-servers.net.
> com. 172800 IN NS b.gtld-servers.net.
> com. 172800 IN NS c.gtld-servers.net.
> com. 172800 IN NS d.gtld-servers.net.
> com. 172800 IN NS e.gtld-servers.net.
> com. 172800 IN NS f.gtld-servers.net.
> com. 172800 IN NS g.gtld-servers.net.
> com. 172800 IN NS h.gtld-servers.net.
> com. 172800 IN NS i.gtld-servers.net.
> com. 172800 IN NS j.gtld-servers.net.
> com. 172800 IN NS k.gtld-servers.net.
> com. 172800 IN NS l.gtld-servers.net.
> com. 172800 IN NS m.gtld-servers.net.
> ;; Received 489 bytes from 2001:500:1::803f:235#53(2001:500:1::803f:235)
> in 132 ms
>
> nytimes.com. 172800 IN NS ns27.boxsecured.com.
> nytimes.com. 172800 IN NS ns28.boxsecured.com.
> ;; Received 110 bytes from 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
> in 110 ms
>
> nytimes.com. 14400 IN A 212.1.211.121
> nytimes.com. 86400 IN NS ns6.boxsecured.com.
> nytimes.com. 86400 IN NS ns5.boxsecured.com.
> ;; Received 92 bytes from 212.1.211.126#53(212.1.211.126) in 37 ms
>
>
> --
> staticsafe
> O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
> Please don't top post.
> Please don't CC! I'm subscribed to whatever list I just posted on.
> _______________________________________________
> Outages mailing list
> Outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20130827/d5e1b7fb/attachment.htm>
More information about the Outages
mailing list