Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2011-07-20 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

BING DNS Hijack?

Published: 2011-07-20
Last Updated: 2011-07-20 13:52:23 UTC
by Chris Carboni (Version: 2)
10 comment(s)

Dan wrote in with some interesting results after a co-worker reported an unusual error.

Is anyone else having similar problems/results?

A dns lookup shows the NS records pointing to servers at JOMAX.NET


$ dig search.live.com
 
; <<>> DiG 9.7.0-P1 <<>> search.live.com
 

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15688
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;search.live.com
 
.               IN      A

;; ANSWER SECTION:
search.live.com
 
.        60      IN      A       69.25.212.52
search.live.com
 
.        60      IN      A       8.15.228.166

;; AUTHORITY SECTION:
search.live.com
 
.        65535   IN      NS      WSC2.JOMAX.NET
 
.
search.live.com
 
.        65535   IN      NS      WSC1.JOMAX.NET
 
.

;; Query time: 43 msec
;; SERVER: 10.1.200.16#53(10.1.200.16)
;; WHEN: Wed Jul 20 08:37:46 2011
;; MSG SIZE  rcvd: 121

A whois on live.com
 
is very interesting as well:

~$ whois live.com
 
Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net

for detailed information.

  Server Name: LIVE.COM.ZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM

  IP Address: 69.41.185.200
  Registrar: TUCOWS.COM
 
CO.
  Whois Server: whois.tucows.com

  Referral URL: http://domainhelp.opensrs.net

  Server Name: LIVE.COM.ITS-NOT-ROCKET-SCIENCE-MR-RIKY-BLAIKIE.BURTYB.COM

  IP Address: 209.85.6.100
  Registrar: ENOM, INC.
  Whois Server: whois.enom.com

  Referral URL: http://www.enom.com
  Server Name: LIVE.COM.IS.N0T.AS.1337.AS.GULLI.COM
  IP Address: 80.190.192.39
  Registrar: EPAG DOMAINSERVICES GMBH
  Whois Server: whois.enterprice.net
 

  Referral URL: http://www.enterprice.net
  Server Name: LIVE.COM.IS.0WN3D.BY.GULLI.COM
  IP Address: 80.190.192.39
  Registrar: EPAG DOMAINSERVICES GMBH
  Whois Server: whois.enterprice.net
 

  Referral URL: http://www.enterprice.net
  Domain Name: LIVE.COM
  Registrar: CSC CORPORATE DOMAINS, INC.
  Whois Server: whois.corporatedomains.com
 

  Referral URL: http://www.cscglobal.com
  Name Server: NS1.MSFT.NET
  Name Server: NS2.MSFT.NET
  Name Server: NS3.MSFT.NET
  Name Server: NS4.MSFT.NET
  Name Server: NS5.MSFT.NET
 

  Status: clientDeleteProhibited
  Status: clientTransferProhibited
  Status: clientUpdateProhibited
  Updated Date: 08-apr-2009
  Creation Date: 28-dec-1994
  Expiration Date: 27-dec-2017

>>> Last update of whois database: Wed, 20 Jul 2011 12:28:01 UTC <<<

Dan followed up with:

Additional: we use Global Crossing for our ISP, all of their DNS servers (which we use as forwarders) produce the same results.  Other name servers I checked (OpenDNS, AT&T) looked okay.  As of right now, users get the Bing webpage when they go to http://search.live.com, though the IP addresses haven't changed.

Something doesn't smell right about this.

Indeed

Christopher Carboni - Handler On Duty

Keywords:
10 comment(s)
Join us at SANS! SANS DEV522: Defending Web Applications Security Essentials. Language agnostic techniques to secure web applications. For Developers, system administrators, project managers and QA testers.
Diary Archives