Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Where is Cameroon ? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Where is Cameroon ?

Published: 2007-02-08
Last Updated: 2007-02-08 22:19:44 UTC
by Daniel Wesemann (Version: 2)
0 comment(s)
Where Cameroon is?  Well, only a small typo away!  A reader today alerted us to the fact that "google.cm" is not your trusty search engine, but rather ... something else. Currently, the link leads to kinda a mock-up of a search tool named "Agoga" that appears to make money from displaying paid-for ad content. On first sight, we didn't find anything malicious lurking on the Agoga pages, but this could well change anytime (meaning: go there at your own risk).  In fact, and surprisingly enough, everything dot-cm ends up on that selfsame site. Yes, Cameroon registry is running a DNS wildcard right at the top level domain (TLD). Think phisher's paradise -- onlinebank.cm, myspace.cm, paypal.cm, anyone ?   If you haven't got legitimate business with firms in Cameroon, you might want to consider making your internal DNS server authoritative for .cm and return 127.0.0.1 until the Cameroon registry deigns to rectify this sorry state of affairs.  Agoga.com seems to be owned by a company "Netview Inc" in Vancouver, BC.

Update 22:14 UTC: James wrote in to remind us that in the "good" old days when Verisign also used to return wildcard answers for their TLDs, Russ Nelson had written a patch for TinyDNS which allows to dev-null wildcard results a bit more selectively than my above suggestion of making your DNS authoritative for all of dot-cm.  If you are running TinyDNS, the patch is still at http://tinydns.org/djbdns-1.05-ignoreip2.patch
Keywords:
0 comment(s)
Diary Archives