Skip to content

Update on searchportal.information.com DNS Attack


Update to my first post about
Just now observed that DNS poisoning continues this time affected DNS servers belong to 1AND1.COM AKA 1&1 Internet Inc. – one of the largest registrars and hosters!
I am getting pretty scared – if they can’t deal with this problem for three days in a row – Internet is a dangerous place now!
Some more info on this – hacked DNS servers resolve Hijacked domains to 66.151.179.147 which hosts a 302 redirect as yesterday. The landing page on searchportal.information.com belongs to account id 19911 as yesterday.
Shit! Nobody is doing anything – neither the servicing of the IP 66.151.179.147 is stopped nor the hosing discontinued or redirect script deleted. The account 19911 on searchportal.information.com is alive and well and not banned. What the fun is going on? Where all those bloody spam-hunters now? Nor the DNS providers neither the Hosting company seem to be doing anything!
At the moment according to domaintools there are 16633 domains hosted on this IP address.
Once again to clear it out it isn’t an Easter DOS Attack as there is no Denial Of Service as such it is DNS hijack or DNS spoofing if you wish when rather high up at the hierarhy of DNS servers your domain name resolves to the attacker’s IP address. This poisoned data spreads over multiple DNS servers around the world and gradually gets cleaned only after correct IP address is restored at a parent DNS server.
IMPORTANT
Once again I remind you to change all the passwords as the redirect script on 66.151.179.147 also collects cookies and authentication requests from your e-mail and FTP clients are most likely logged too.

This was written by LZZR. Posted on Tuesday, April 10, 2007, at 10:24 am. Filed under SEDD. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback.

3 Comments

  1. Anonymous wrote:

    I am N0mAncJreko from an anonymous group called Jdrahaf. This attack on DNS servers makes us angry. Prepare to die, 66.151.179.147

    Tuesday, April 10, 2007 at 12:07 pm | Permalink
  2. mark wrote:

    I would think that people whom are using things like the Firefox “No-Script” Plug in should be safe (i.e No JavaScript) but I’m not sure. As I’m not sure if this is even Java related.

    Tuesday, April 10, 2007 at 2:53 pm | Permalink
  3. LZZR wrote:

    Hmmm… I can’t see how these two are related – in my scenario I assumed that the correct domain resolves to attacker’s IP and there the attacker’s script requests your cookies which it is perfectly capable of doing since it requests them from the correct domain – now there is no place for JavaScript here at all so in my opinion disabling JavaScript will not help.
    Have you been thinking of some other way this can happen?

    Wednesday, April 11, 2007 at 12:54 am | Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*