April 18, 2007
Writing my first post on this issue I couldn’t expect the reaction it will produce, even less I expected the kind of reaction that followed. If this thread I quietly watched without intervening happened to be openly hostile than this comment I got in my own blog is simply offensive, so I feel I need to reiterate my points and clarify my position to bring the whole issue to some logical closure (I really hate unresolved issues like this hanging about).
I’ve done some research over the past few days and now ready to provide a proper account so, forgive me when I’ll be repeating some points already mentioned but this is something that is needed to maintain the logic of my reply.
Here are facts:
April 7th, 2007 - Myself and some of my friends report strange redirects from a number of websites to searchportal.information.com IP 66.151.179.147
this page reports the same DNS issues with livejournal.com (NS1.SIXAPART.COM NS2.SIXAPART.COM) happening on a massive scale
April 8th, 2007 - Dreamhost reports DNS DOS Attack which incapacitates Dreamhost DNS servers and subsequently affected DNS servers resolve all domains for which Dreamhost is authority to 66.151.179.147
April 9th, 2007 - The issue is observed sporadically for websites having their DNS records either privately (EVERETT.ORG, ADVERDNS.NET, PROZ.COM etc) or at large hosting providers (1AND1.COM, EASYDNS.COM etc) and these are just ones I myself have seen affected (also reported here and on April 13 here).
Here is my interpretation:
From what I’ve seen myself and what I gathered on the net I insist that we are dealing with DNS poisoning also known as DNS Hijacking. How do I know this? How do I know it’s not a virus? Well, it isn’t cause I ain’t stupid and check my machines for viruses regularly, but mainly because changing DNS servers in browser or router settings to unaffected ones resolved the issue entirely.
Why do I think Dreamhost DOS issues and DNS poisoning are related? Note: I never said or implied that Dreamhost DNS was hacked or hijacked and hence was the cause of the problem - if some have read my postings this way it’s their problem, not mine. Not only because these two things hapened at the same time, but because it all fits too well in a standard DNS poisoning scenario. To inject poisoned DNS data you need to disable authority DNS servers for domains you are trying to rewrite, otherwise your poisoned data will not be accepted by DNS servers you are trying to inject poisoned data into. Of course it is not a hard proof and there is a chance of coincidence, but do you believe in coincidences?
Judging from the fact that most responses to this attack are coming from Russia and from what I understood from the translation of the page quoted above the point of injection was a DNS of one of Russian ISPs from where it spread to some European DNS servers. Fortunately it was not a large scale episervic but large enough to cause a serious disruption.
Conserning the security issue: I am tired of repeating the same thing - if you landed on searchportal.information.com page instead of a site you have an account at - change password for this site be it your own or otherwise - if you are dumb enough not to you have only yourself to blame as you’ve been forewarned so many times. Redirect script to searchportal.information.com reads your cookies! Note: the Russian livejournal post I referenced above provides HTTP headers transcript wherre you can read yourself how your browser happily provides cookies to this redirect script. The same should be done with your email and FTP passwords if you accessed affected sites with your email or FTP clients.
As this thread, this thread and many others suggest searchportal.information.com affiliates are involved in browser hijacking using various techniques since at leat 2005. Particlularly interesting is this article which I am yet to analyse properly but this one hints on possible AdSense click fraud.
If understanding the issue itself was not too difficult for me, the hostile, ill-mannered and frankly pointless response to my posts still puzzles me a lot. However, concerning the amount of money involved in these operations it shouldn’t be surprising that threre are some who wouldn’t like too much attention to be drawn to the activities of certain searchportal.information.com affiliates.
That’s all I know and all I think about it. DIXI
tags: dns, dos, adsense, alert, attack, browser, click fraud, cookies, hack, hard proof, headers, hijack, injection, password, poisoning, searchportal, security
Posted by LZZR under SEDD | Comments (11)
April 10, 2007
Update to my first post about DNS ATTACK
Just now observed that DNS poisoning continues this time affected DNS servers belong to 1AND1.COM AKA 1&1 Internet Inc. - one of the largest registrars and hosters!
I am getting pretty scared - if they can’t deal with this problem for three days in a row - Internet is a dangerous place now!
Some more info on this - hacked DNS servers resolve Hijacked domains to 66.151.179.147 which hosts a 302 redirect as yesterday. The landing page on searchportal.information.com belongs to account id 19911 as yesterday.
Shit! Nobody is doing anything - neither the servicing of the IP 66.151.179.147 is stopped nor the hosing discontinued or redirect script deleted. The account 19911 on searchportal.information.com is alive and well and not banned. What the fun is going on? Where all those bloody spam-hunters now? Nor the DNS providers neither the Hosting company seem to be doing anything!
At the moment according to domaintools there are 16633 domains hosted on this IP address.
Once again to clear it out it isn’t an Easter DOS Attack as there is no Denial Of Service as such it is DNS hijack or DNS spoofing if you wish when rather high up at the hierarhy of DNS servers your domain name resolves to the attacker’s IP address. This poisoned data spreads over multiple DNS servers around the world and gradually gets cleaned only after correct IP address is restored at a parent DNS server.
IMPORTANT
Once again I remind you to change all the passwords as the redirect script on 66.151.179.147 also collects cookies and authentication requests from your e-mail and FTP clients are most likely logged too.
tags: 1and1, dns, dos, easter, alert, attack, danger, hack, hijack, oneandone, password, poisoning, red alert, security, spoofing
Posted by LZZR under SEDD | Comments (3)
April 8, 2007
Today I nearly fainted (of course I meant to say farted as I’am not a sissy young girl, at least not anymore 
) but anyway seeing a crappy landing page instead of my beloved lzzr.com was a bit of something.
Here is how our Host described it:
Major DNS DOS attack
April 8th, 2007 at 1:29 am PST
Severity: High Resolved: Yes
We are currently experiencing intermittent DNS outages on all of our nameservers, this is causing problems with sites and email functioning properly.
We think it might be the DNS load balancers we’ve recently installed but haven’t determined that for sure yet. More information will be posted as we have it.
Our apologies for the inconvenience this causes.
UPDATE (2007-04-08 03:20 PDT): It appears we are the victims of an Easter DOS attack against our nameservers, we have an admin at the datacenter and our network expert onhand to deal with it. Hopefully things will be back to normal shortly.
UPDATE (2007-04-08 04:54 PDT): We seem to have isolated and resolved the DoS attack for the moment. All of our DNS servers have been resolving domains correctly and without pause for the past 20 minutes now so it appears that this nasty episode is behind us. We’ll be mopping up and fixing servers that might’ve crashed or otherwise gone wonky in the interim. Again, our sincerest apologies for all the downtime.
Fortunately it happened to be a rather banal DNS injection attack or in words of our host Easter DOS attack although I can’t see any Easter and neither there is any DOS in it but outages they certainly are.
It seems we are dealing with DNS Hijack (also known as DNS Spoofing) here and at a bigger scale too. Yesterday already I’ve noticed the same kind of thing visiting agloco.com - a lame clone of Spedia of 90-ies (don’t ask me what I’ve been doing there). Instead of their homepage I’ve been redirected to searchportal.information.com - another lame PPC Traffic Monetisation system. The same place the current DNS attack redirects to, some other sites had been affected too. It seems we are dealing with a widespread phenomenae and multiple DNS servers had been poisoned. For those unfamiliar woth the concept I may suggest reading this article - it’s just one of many sources describing how DNS attack and DNS poisoning actually works.
As DNS affected belong to large hosting companies it leads me to believe that data poisoning took place at a rather high level and affected a huge number of websites. I can’t help admiring the skill of the attacker and the scale of the event itself, just imagine the amount of traffic the attacker manage to gather is we definetly know that all websites hosted with our host had been affected i. e. all of their daily traffic landed on the attacker’s PPC landing page! At the same time I feel I need to share some important info I managed to gather in course of the attack (I don’t think I am grassing anyone up - it is merely self-defence).
- Not all DNS Zones had been affected as I could see the site properly via TOR proxy network
- only .com sites were affected - my .co.uk sites just didn’t resolve at all
- the attacker redirected to an information.com landing page using id 19911 - it does not nesessarily mean that the culprit is the owner of 19911 account as it is also possible that the attack meant to compromise the account 19911 (I allow this possibility since it would be stupid to think that revenue raised this way will ever be honoured by advertisers)
In any case I believe more details will come up soon but so far id 19911 at information.com is the only identifiable trace and also information.com is the only place to complain about it. The sad thing is that thre is nothing a webmaster can do about this kind of attack as it happens at a DNS level which isn’t under our control.
IMPORTANT!!!! - ATTENTION!!! - RED ALERT!!!
Although at a first glance not much damage had been done apart from a section of traffic diverted to a lousy information.com landing page and making some money for the id 19911 in fact it is not so harmless. The attacker seems to gather your cookies as well. What it actually means is when passing traffic through your domain it requests cookies stored by your browser for this domain and now the attacker must have a pretty good library of usernames and passwords for services set up at the affected domains. Although passwords are usually MD5 hashed if you use some dictionary passwords like daddy or pussy for example you are doomed as to having an MD5 hash to guess such passwords with brute force or dictionary attack would be a piece o’cake. It means you SECURITY HAD BEEN SERIOUSLY COMPROMISED and your user names and passwords are in danger.
What to do:
If you’ve seen information.com landing page instead of your own site or any other site where you have an account - URGENTLY CHANGE YOUR PASSWORD and better your username as well (better safe than sorry). You should also recommend your users who visited your website during the attack and landed at the information.com website to do the same as well!
You should also be aware that some email correspondence to/from your affected domains might have ended in wrong hands! Although there is nothing you can do post factum about it - it’s better to doublecheck if there was any sensitive information that might have been delivered to the culprit.
PS an some refused to believe that SEDD is reality 
tags: dns, dos, easter, sedd, alert, attack, danger, hack, hijack, password, poisoning, red alert, security, spoofing
Posted by LZZR under SEDD | Comments (5)
February 12, 2007
Another addition to my SEDD collection - Google itself produced a small guide to SEDD, I quote from their Webmaster Guidelines
- Don’t participate in link schemes designed to increase your site’s ranking or PageRank. In particular, avoid links to web spammers or “bad neighborhoods” on the web, as your own ranking may be affected adversely by those links.
- Don’t use unauthorized computer programs to submit pages, check rankings, etc. Such programs consume computing resources and violate our Terms of Service. Google does not recommend the use of products such as WebPosition Gold™ that send automatic or programmatic queries to Google.
Yes, we all can read between the lines and are used to the usual kind of understatement coming from Google headquarters. Here they effectively stated that any site found in proximity to so-called bad neighborhoods or using WebPosition Gold will be severely penalized. Here is the evil part that makes SEDD possible. Due to the weakness of Google antispam algos that can not rely on on-site factors alone in fighting spam they begin to punish for aspects that are not under control of any individual webmaster. As long as it is true it is enough in words of Google guys themselves to link to any site from well-known spammy bunches or to release Webposition Gold to any website to achieve its inevitable deranking. Quite a recipie I suppose! Hire a good henchman from the blackhat cohort who owns thousands of spammy adobes or fire up the abovementioned software and kaboom your competitor is sinking and can do nothing about it.
tags: google, lzzr, pagerank, seo, webposition gold, antispam, bad neighborhoods, blackhat, henchman, link schemes, links, pages, recipie, spammers, spammy, submit, webmaster
Posted by LZZR under SEDD, Blog | Comments (0)
January 23, 2007
It’s been just a couple of days since I had written about the possibility of SEDD and what a coincidence!
In my post I was talking about Bad Neghbourhood and precisely this happened to me - I looked at my backlinks on Technorati and it happened that some jerk decided that linking a dozen of spammy Blogs to my rather insignificant article on LinkieWinkie was a pretty good idea and all because this spammer (well, he or she is, whatever you may mean by this word) diggs into the subject of holidays and my unfortunate article seemed to rate good for this keyword.
Well, there are two sides to it. On one hand I gained In link popularity on Technorati, on the other hand it’s a bit hurting as it damages my online reputation. I really don’t want to be associated with this spam!
To counter the damage I simply had to register and link in a number of Blogs on the major bloghosting services like LiveJournal, Yahoo, Blogspot, Wordpress and so on. Now my new links cover this completely. Let’s see how it will affect my rankings now.
tags: bad neghbourhood, blogspot, lzzr, linkiewinkie, livejournal, sedd, wordpress, yahoo, backlinks on technorati, blogs, holidays, jerk, link popularity, online reputation, spam, spammer, spammy
Posted by LZZR under SEDD, Blog | Comments (0)
January 20, 2007
When you go through SEO FAQ pages or ask an average SEO guru or a Search Engine spokesperson if Search Engine Ranking of your site can be deliberately harmed by your competitor the answer is always short and definitive: NO, no site can be harmed this way. Work to improve your site and you will score, don’t think about your competition this way!
Some recent events demonstrate that the issue is not necessarily so black-and-white.
In a remarkable post last month titled
