BING DNS Hijack?

Published: 2011-07-20
Last Updated: 2011-07-20 13:52:23 UTC
by Chris Carboni (Version: 2)
10 comment(s)

Dan wrote in with some interesting results after a co-worker reported an unusual error.

Is anyone else having similar problems/results?

A dns lookup shows the NS records pointing to servers at JOMAX.NET


$ dig search.live.com
 
; <<>> DiG 9.7.0-P1 <<>> search.live.com
 

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15688
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;search.live.com
 
.               IN      A

;; ANSWER SECTION:
search.live.com
 
.        60      IN      A       69.25.212.52
search.live.com
 
.        60      IN      A       8.15.228.166

;; AUTHORITY SECTION:
search.live.com
 
.        65535   IN      NS      WSC2.JOMAX.NET
 
.
search.live.com
 
.        65535   IN      NS      WSC1.JOMAX.NET
 
.

;; Query time: 43 msec
;; SERVER: 10.1.200.16#53(10.1.200.16)
;; WHEN: Wed Jul 20 08:37:46 2011
;; MSG SIZE  rcvd: 121

A whois on live.com
 
is very interesting as well:

~$ whois live.com
 
Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net

for detailed information.

  Server Name: LIVE.COM.ZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM

  IP Address: 69.41.185.200
  Registrar: TUCOWS.COM
 
CO.
  Whois Server: whois.tucows.com

  Referral URL: http://domainhelp.opensrs.net

  Server Name: LIVE.COM.ITS-NOT-ROCKET-SCIENCE-MR-RIKY-BLAIKIE.BURTYB.COM

  IP Address: 209.85.6.100
  Registrar: ENOM, INC.
  Whois Server: whois.enom.com

  Referral URL: http://www.enom.com
  Server Name: LIVE.COM.IS.N0T.AS.1337.AS.GULLI.COM
  IP Address: 80.190.192.39
  Registrar: EPAG DOMAINSERVICES GMBH
  Whois Server: whois.enterprice.net
 

  Referral URL: http://www.enterprice.net
  Server Name: LIVE.COM.IS.0WN3D.BY.GULLI.COM
  IP Address: 80.190.192.39
  Registrar: EPAG DOMAINSERVICES GMBH
  Whois Server: whois.enterprice.net
 

  Referral URL: http://www.enterprice.net
  Domain Name: LIVE.COM
  Registrar: CSC CORPORATE DOMAINS, INC.
  Whois Server: whois.corporatedomains.com
 

  Referral URL: http://www.cscglobal.com
  Name Server: NS1.MSFT.NET
  Name Server: NS2.MSFT.NET
  Name Server: NS3.MSFT.NET
  Name Server: NS4.MSFT.NET
  Name Server: NS5.MSFT.NET
 

  Status: clientDeleteProhibited
  Status: clientTransferProhibited
  Status: clientUpdateProhibited
  Updated Date: 08-apr-2009
  Creation Date: 28-dec-1994
  Expiration Date: 27-dec-2017

>>> Last update of whois database: Wed, 20 Jul 2011 12:28:01 UTC <<<

Dan followed up with:

Additional: we use Global Crossing for our ISP, all of their DNS servers (which we use as forwarders) produce the same results.  Other name servers I checked (OpenDNS, AT&T) looked okay.  As of right now, users get the Bing webpage when they go to http://search.live.com, though the IP addresses haven't changed.

Something doesn't smell right about this.

Indeed

Christopher Carboni - Handler On Duty

Keywords:
10 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives