April 18, 2007
Writing my first post on this issue I couldn’t expect the reaction it will produce, even less I expected the kind of reaction that followed. If this thread I quietly watched without intervening happened to be openly hostile than this comment I got in my own blog is simply offensive, so I feel I need to reiterate my points and clarify my position to bring the whole issue to some logical closure (I really hate unresolved issues like this hanging about).
I’ve done some research over the past few days and now ready to provide a proper account so, forgive me when I’ll be repeating some points already mentioned but this is something that is needed to maintain the logic of my reply.
Here are facts:
April 7th, 2007 - Myself and some of my friends report strange redirects from a number of websites to searchportal.information.com IP 66.151.179.147
this page reports the same DNS issues with livejournal.com (NS1.SIXAPART.COM NS2.SIXAPART.COM) happening on a massive scale
April 8th, 2007 - Dreamhost reports DNS DOS Attack which incapacitates Dreamhost DNS servers and subsequently affected DNS servers resolve all domains for which Dreamhost is authority to 66.151.179.147
April 9th, 2007 - The issue is observed sporadically for websites having their DNS records either privately (EVERETT.ORG, ADVERDNS.NET, PROZ.COM etc) or at large hosting providers (1AND1.COM, EASYDNS.COM etc) and these are just ones I myself have seen affected (also reported here and on April 13 here).
Here is my interpretation:
From what I’ve seen myself and what I gathered on the net I insist that we are dealing with DNS poisoning also known as DNS Hijacking. How do I know this? How do I know it’s not a virus? Well, it isn’t cause I ain’t stupid and check my machines for viruses regularly, but mainly because changing DNS servers in browser or router settings to unaffected ones resolved the issue entirely.
Why do I think Dreamhost DOS issues and DNS poisoning are related? Note: I never said or implied that Dreamhost DNS was hacked or hijacked and hence was the cause of the problem - if some have read my postings this way it’s their problem, not mine. Not only because these two things hapened at the same time, but because it all fits too well in a standard DNS poisoning scenario. To inject poisoned DNS data you need to disable authority DNS servers for domains you are trying to rewrite, otherwise your poisoned data will not be accepted by DNS servers you are trying to inject poisoned data into. Of course it is not a hard proof and there is a chance of coincidence, but do you believe in coincidences?
Judging from the fact that most responses to this attack are coming from Russia and from what I understood from the translation of the page quoted above the point of injection was a DNS of one of Russian ISPs from where it spread to some European DNS servers. Fortunately it was not a large scale episervic but large enough to cause a serious disruption.
Conserning the security issue: I am tired of repeating the same thing - if you landed on searchportal.information.com page instead of a site you have an account at - change password for this site be it your own or otherwise - if you are dumb enough not to you have only yourself to blame as you’ve been forewarned so many times. Redirect script to searchportal.information.com reads your cookies! Note: the Russian livejournal post I referenced above provides HTTP headers transcript wherre you can read yourself how your browser happily provides cookies to this redirect script. The same should be done with your email and FTP passwords if you accessed affected sites with your email or FTP clients.
As this thread, this thread and many others suggest searchportal.information.com affiliates are involved in browser hijacking using various techniques since at leat 2005. Particlularly interesting is this article which I am yet to analyse properly but this one hints on possible AdSense click fraud.
If understanding the issue itself was not too difficult for me, the hostile, ill-mannered and frankly pointless response to my posts still puzzles me a lot. However, concerning the amount of money involved in these operations it shouldn’t be surprising that threre are some who wouldn’t like too much attention to be drawn to the activities of certain searchportal.information.com affiliates.
That’s all I know and all I think about it. DIXI
tags: dns, dos, adsense, alert, attack, browser, click fraud, cookies, hack, hard proof, headers, hijack, injection, password, poisoning, searchportal, security
Posted by LZZR under SEDD | Comments (11)
April 10, 2007
Update to my first post about DNS ATTACK
Just now observed that DNS poisoning continues this time affected DNS servers belong to 1AND1.COM AKA 1&1 Internet Inc. - one of the largest registrars and hosters!
I am getting pretty scared - if they can’t deal with this problem for three days in a row - Internet is a dangerous place now!
Some more info on this - hacked DNS servers resolve Hijacked domains to 66.151.179.147 which hosts a 302 redirect as yesterday. The landing page on searchportal.information.com belongs to account id 19911 as yesterday.
Shit! Nobody is doing anything - neither the servicing of the IP 66.151.179.147 is stopped nor the hosing discontinued or redirect script deleted. The account 19911 on searchportal.information.com is alive and well and not banned. What the fun is going on? Where all those bloody spam-hunters now? Nor the DNS providers neither the Hosting company seem to be doing anything!
At the moment according to domaintools there are 16633 domains hosted on this IP address.
Once again to clear it out it isn’t an Easter DOS Attack as there is no Denial Of Service as such it is DNS hijack or DNS spoofing if you wish when rather high up at the hierarhy of DNS servers your domain name resolves to the attacker’s IP address. This poisoned data spreads over multiple DNS servers around the world and gradually gets cleaned only after correct IP address is restored at a parent DNS server.
IMPORTANT
Once again I remind you to change all the passwords as the redirect script on 66.151.179.147 also collects cookies and authentication requests from your e-mail and FTP clients are most likely logged too.
tags: 1and1, dns, dos, easter, alert, attack, danger, hack, hijack, oneandone, password, poisoning, red alert, security, spoofing
Posted by LZZR under SEDD | Comments (3)
April 8, 2007
Today I nearly fainted (of course I meant to say farted as I’am not a sissy young girl, at least not anymore 
) but anyway seeing a crappy landing page instead of my beloved lzzr.com was a bit of something.
Here is how our Host described it:
Major DNS DOS attack
April 8th, 2007 at 1:29 am PST
Severity: High Resolved: Yes
We are currently experiencing intermittent DNS outages on all of our nameservers, this is causing problems with sites and email functioning properly.
We think it might be the DNS load balancers we’ve recently installed but haven’t determined that for sure yet. More information will be posted as we have it.
Our apologies for the inconvenience this causes.
UPDATE (2007-04-08 03:20 PDT): It appears we are the victims of an Easter DOS attack against our nameservers, we have an admin at the datacenter and our network expert onhand to deal with it. Hopefully things will be back to normal shortly.
UPDATE (2007-04-08 04:54 PDT): We seem to have isolated and resolved the DoS attack for the moment. All of our DNS servers have been resolving domains correctly and without pause for the past 20 minutes now so it appears that this nasty episode is behind us. We’ll be mopping up and fixing servers that might’ve crashed or otherwise gone wonky in the interim. Again, our sincerest apologies for all the downtime.
Fortunately it happened to be a rather banal DNS injection attack or in words of our host Easter DOS attack although I can’t see any Easter and neither there is any DOS in it but outages they certainly are.
It seems we are dealing with DNS Hijack (also known as DNS Spoofing) here and at a bigger scale too. Yesterday already I’ve noticed the same kind of thing visiting agloco.com - a lame clone of Spedia of 90-ies (don’t ask me what I’ve been doing there). Instead of their homepage I’ve been redirected to searchportal.information.com - another lame PPC Traffic Monetisation system. The same place the current DNS attack redirects to, some other sites had been affected too. It seems we are dealing with a widespread phenomenae and multiple DNS servers had been poisoned. For those unfamiliar woth the concept I may suggest reading this article - it’s just one of many sources describing how DNS attack and DNS poisoning actually works.
As DNS affected belong to large hosting companies it leads me to believe that data poisoning took place at a rather high level and affected a huge number of websites. I can’t help admiring the skill of the attacker and the scale of the event itself, just imagine the amount of traffic the attacker manage to gather is we definetly know that all websites hosted with our host had been affected i. e. all of their daily traffic landed on the attacker’s PPC landing page! At the same time I feel I need to share some important info I managed to gather in course of the attack (I don’t think I am grassing anyone up - it is merely self-defence).
- Not all DNS Zones had been affected as I could see the site properly via TOR proxy network
- only .com sites were affected - my .co.uk sites just didn’t resolve at all
- the attacker redirected to an information.com landing page using id 19911 - it does not nesessarily mean that the culprit is the owner of 19911 account as it is also possible that the attack meant to compromise the account 19911 (I allow this possibility since it would be stupid to think that revenue raised this way will ever be honoured by advertisers)
In any case I believe more details will come up soon but so far id 19911 at information.com is the only identifiable trace and also information.com is the only place to complain about it. The sad thing is that thre is nothing a webmaster can do about this kind of attack as it happens at a DNS level which isn’t under our control.
IMPORTANT!!!! - ATTENTION!!! - RED ALERT!!!
Although at a first glance not much damage had been done apart from a section of traffic diverted to a lousy information.com landing page and making some money for the id 19911 in fact it is not so harmless. The attacker seems to gather your cookies as well. What it actually means is when passing traffic through your domain it requests cookies stored by your browser for this domain and now the attacker must have a pretty good library of usernames and passwords for services set up at the affected domains. Although passwords are usually MD5 hashed if you use some dictionary passwords like daddy or pussy for example you are doomed as to having an MD5 hash to guess such passwords with brute force or dictionary attack would be a piece o’cake. It means you SECURITY HAD BEEN SERIOUSLY COMPROMISED and your user names and passwords are in danger.
What to do:
If you’ve seen information.com landing page instead of your own site or any other site where you have an account - URGENTLY CHANGE YOUR PASSWORD and better your username as well (better safe than sorry). You should also recommend your users who visited your website during the attack and landed at the information.com website to do the same as well!
You should also be aware that some email correspondence to/from your affected domains might have ended in wrong hands! Although there is nothing you can do post factum about it - it’s better to doublecheck if there was any sensitive information that might have been delivered to the culprit.
PS an some refused to believe that SEDD is reality 
tags: dns, dos, easter, sedd, alert, attack, danger, hack, hijack, password, poisoning, red alert, security, spoofing
Posted by LZZR under SEDD | Comments (6)
April 1, 2007
At the request of WhiteHat SEO community on April the 1st this year all major search engines including Google, Yahoo and MSN Live declared their joint support for a newly developed XFN standard.
The new attribute rel=follow is designed to complement the notorious rel=nofollow. However unlike nofollow attribute rel=follow is designed to express not negative but positive relationship between a linking website and a website rel=follow link points to.
I’ll try to explain it in layman’s terms - when using nofollow you instruct a Search Engine not to count this link in their Link Popularity calculations for Google it will be the well known Google PR index. If you put rel=follow on contrary you instruct a Search Engine algorithm to double the positive weight of your link.
To provide greater flexibility and more granular approach it is currently recommended to use follow value in quantity proportionate to the relative importance of a web site you point your link to.
Example 1:
rel="follow"
will simply double the weight of your link
Example 2:
rel="follow" rel="follow"
or alternatively
rel="follow follow"
(note that both versions of implementation are equally valid, note also that no commas needed for the second version) will increase the weight of a link 4 times 1×2x2=4
Let’s take a bit more complex instance
Example 3:
rel="follow" rel="follow" rel="follow" rel="follow" rel="follow" rel="follow" rel="follow" rel="follow" rel="follow" rel="follow"
or alternatively
rel="follow follow follow follow follow follow follow follow follow follow"
here we have follw 10 times which gives the increase of ranking in 1×2x2×2x2×2x2×2x2×2x2=1024 times compare to the ranking a link would normally pass.
It is also possible to use advanced CSS2 to provide a visual reflection of the quantitative weight of the rel=follow attribute in a way similar to how TagCloud visually reflects relative tag popularity.
The most inspiring of all thing is that according to the new specification to encourage a widspread uptake of the rel=follow standard all Search Engines confirmed the change in their algos that had been altered not to deduct the proportionate weight from the Link Popularity index of a page that uses rel=follow. In other words when you use rel=follow you will be able to pass as much PR as you wish without losing the PR of the page itself (PR Bleeding), at least no more than you would if you were using a normal link without any attributes. So at last WhiteHat SEO is rewarded with a wonderful standard capable of defeating the current link spam epidemic.
Ultimately, this new attribute provides us with extremely flexible tool capable of changing the nature of the internet relationships an enhancing the social network experience. Some sceptics however remarked that it might open yet another door for abuse.
tags: google, google pr, link popularity, msn, seo, whitehat, xfn, yahoo, rel follow, rel tag, white hat
Posted by LZZR under Blog | Comments (14)
