Update on searchportal.information.com DNS Attack
Update to my first post about DNS ATTACK
Just now observed that DNS poisoning continues this time affected DNS servers belong to 1AND1.COM AKA 1&1 Internet Inc. - one of the largest registrars and hosters!
I am getting pretty scared - if they can’t deal with this problem for three days in a row - Internet is a dangerous place now!
Some more info on this - hacked DNS servers resolve Hijacked domains to 66.151.179.147 which hosts a 302 redirect as yesterday. The landing page on searchportal.information.com belongs to account id 19911 as yesterday.
Shit! Nobody is doing anything - neither the servicing of the IP 66.151.179.147 is stopped nor the hosing discontinued or redirect script deleted. The account 19911 on searchportal.information.com is alive and well and not banned. What the fun is going on? Where all those bloody spam-hunters now? Nor the DNS providers neither the Hosting company seem to be doing anything!
At the moment according to domaintools there are 16633 domains hosted on this IP address.
Once again to clear it out it isn’t an Easter DOS Attack as there is no Denial Of Service as such it is DNS hijack or DNS spoofing if you wish when rather high up at the hierarhy of DNS servers your domain name resolves to the attacker’s IP address. This poisoned data spreads over multiple DNS servers around the world and gradually gets cleaned only after correct IP address is restored at a parent DNS server.
IMPORTANT
Once again I remind you to change all the passwords as the redirect script on 66.151.179.147 also collects cookies and authentication requests from your e-mail and FTP clients are most likely logged too.
tags: 1and1, dns, dos, easter, alert, attack, danger, hack, hijack, oneandone, password, poisoning, red alert, security, spoofing
I am N0mAncJreko from an anonymous group called Jdrahaf. This attack on DNS servers makes us angry. Prepare to die, 66.151.179.147
Comment by Anonymous — April 10, 2007 @ 12:07 pm
I would think that people whom are using things like the Firefox “No-Script” Plug in should be safe (i.e No JavaScript) but I’m not sure. As I’m not sure if this is even Java related.
Comment by mark — April 10, 2007 @ 2:53 pm
Hmmm… I can’t see how these two are related - in my scenario I assumed that the correct domain resolves to attacker’s IP and there the attacker’s script requests your cookies which it is perfectly capable of doing since it requests them from the correct domain - now there is no place for JavaScript here at all so in my opinion disabling JavaScript will not help.
Have you been thinking of some other way this can happen?
Comment by LZZR — April 11, 2007 @ 12:54 am