[outages] nytime.com dns borked

james jones james at freedomnet.co.nz
Tue Aug 27 17:43:34 EDT 2013 

this is what I am seeing:

$ dig any nytimes.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> any nytimes.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55086
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;nytimes.com. IN ANY

;; ANSWER SECTION:
nytimes.com. 9945 IN A 141.105.64.37
nytimes.com. 81945 IN NS ns1.syrianelectronicarmy.com.
nytimes.com. 81945 IN NS ns2.syrianelectronicarmy.com.

;; AUTHORITY SECTION:
nytimes.com. 81945 IN NS ns2.syrianelectronicarmy.com.
nytimes.com. 81945 IN NS ns1.syrianelectronicarmy.com.

;; ADDITIONAL SECTION:
ns1.syrianelectronicarmy.com. 269 IN A 141.105.64.37
ns2.syrianelectronicarmy.com. 215 IN A 141.105.64.37

;; Query time: 1 msec
;; SERVER: 10.10.89.245#53(10.10.89.245)
;; WHEN: Tue Aug 27 17:42:34 2013
;; MSG SIZE  rcvd: 162



On Tue, Aug 27, 2013 at 5:20 PM, staticsafe <me at staticsafe.ca> wrote:

> On Tue, Aug 27, 2013 at 02:09:26PM -0700, Grant Ridder wrote:
> > I think someone hijacked NYTimes dns...
> >
> >
> http://www.chicagotribune.com/business/technology/chi-new-york-times-website-20130827,0,3415996.story
> >
> >
> > Non-authoritative answer:
> > Name:    nytimes.com
> > Address: 141.105.64.37
> >
> > ~~~
> > dig any nytimes.com
> >
> > ; <<>> DiG 9.8.3-P1 <<>> any nytimes.com
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15335
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
> >
> > ;; QUESTION SECTION:
> > ;nytimes.com.            IN    ANY
> >
> > ;; ANSWER SECTION:
> > nytimes.com.        11560    IN    A    141.105.64.37
> > nytimes.com.        5    IN    NS    ns1.syrianelectronicarmy.com.
> > nytimes.com.        5    IN    NS    ns2.syrianelectronicarmy.com.
> >
> > ;; ADDITIONAL SECTION:
> > ns1.syrianelectronicarmy.com. 47 IN    A    141.105.64.37
> > ns2.syrianelectronicarmy.com. 47 IN    A    141.105.64.37
>
> Seems to have changed NSes again (still compromised, it seems):
>
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace nytimes.com
> ;; global options: +cmd
> .                       518400  IN      NS      d.root-servers.net.
> .                       518400  IN      NS      a.root-servers.net.
> .                       518400  IN      NS      e.root-servers.net.
> .                       518400  IN      NS      f.root-servers.net.
> .                       518400  IN      NS      i.root-servers.net.
> .                       518400  IN      NS      j.root-servers.net.
> .                       518400  IN      NS      b.root-servers.net.
> .                       518400  IN      NS      k.root-servers.net.
> .                       518400  IN      NS      c.root-servers.net.
> .                       518400  IN      NS      g.root-servers.net.
> .                       518400  IN      NS      h.root-servers.net.
> .                       518400  IN      NS      m.root-servers.net.
> .                       518400  IN      NS      l.root-servers.net.
> ;; Received 512 bytes from ::1#53(::1) in 7 ms
>
> com.                    172800  IN      NS      a.gtld-servers.net.
> com.                    172800  IN      NS      b.gtld-servers.net.
> com.                    172800  IN      NS      c.gtld-servers.net.
> com.                    172800  IN      NS      d.gtld-servers.net.
> com.                    172800  IN      NS      e.gtld-servers.net.
> com.                    172800  IN      NS      f.gtld-servers.net.
> com.                    172800  IN      NS      g.gtld-servers.net.
> com.                    172800  IN      NS      h.gtld-servers.net.
> com.                    172800  IN      NS      i.gtld-servers.net.
> com.                    172800  IN      NS      j.gtld-servers.net.
> com.                    172800  IN      NS      k.gtld-servers.net.
> com.                    172800  IN      NS      l.gtld-servers.net.
> com.                    172800  IN      NS      m.gtld-servers.net.
> ;; Received 489 bytes from 2001:500:1::803f:235#53(2001:500:1::803f:235)
> in 132 ms
>
> nytimes.com.            172800  IN      NS      ns27.boxsecured.com.
> nytimes.com.            172800  IN      NS      ns28.boxsecured.com.
> ;; Received 110 bytes from 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
> in 110 ms
>
> nytimes.com.            14400   IN      A       212.1.211.121
> nytimes.com.            86400   IN      NS      ns6.boxsecured.com.
> nytimes.com.            86400   IN      NS      ns5.boxsecured.com.
> ;; Received 92 bytes from 212.1.211.126#53(212.1.211.126) in 37 ms
>
>
> --
> staticsafe
> O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
> Please don't top post.
> Please don't CC! I'm subscribed to whatever list I just posted on.
> _______________________________________________
> Outages mailing list
> Outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20130827/d5e1b7fb/attachment.htm>

More information about the Outages mailing list