BING DNS Hijack? - SANS Internet Storm Center

BING DNS Hijack?
Dan wrote in with some interesting results after a co-worker reported an unusual error. Is anyone else having similar problems/results? A dns lookup shows the NS records pointing to servers at JOMAX.NET $ dig search.live.com ; <<>> DiG 9.7.0-P1 <<>> search.live.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15688 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;search.live.com . IN A ;; ANSWER SECTION: search.live.com . 60 IN A 69.25.212.52 search.live.com . 60 IN A 8.15.228.166 ;; AUTHORITY SECTION: search.live.com . 65535 IN NS WSC2.JOMAX.NET . search.live.com . 65535 IN NS WSC1.JOMAX.NET . ;; Query time: 43 msec ;; SERVER: 10.1.200.16#53(10.1.200.16) ;; WHEN: Wed Jul 20 08:37:46 2011 ;; MSG SIZE rcvd: 121 A whois on live.com is very interesting as well: ~$ whois live.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Server Name: LIVE.COM.ZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM IP Address: 69.41.185.200 Registrar: TUCOWS.COM CO. Whois Server: whois.tucows.com Referral URL: http://domainhelp.opensrs.net Server Name: LIVE.COM.ITS-NOT-ROCKET-SCIENCE-MR-RIKY-BLAIKIE.BURTYB.COM IP Address: 209.85.6.100 Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Server Name: LIVE.COM.IS.N0T.AS.1337.AS.GULLI.COM IP Address: 80.190.192.39 Registrar: EPAG DOMAINSERVICES GMBH Whois Server: whois.enterprice.net Referral URL: http://www.enterprice.net Server Name: LIVE.COM.IS.0WN3D.BY.GULLI.COM IP Address: 80.190.192.39 Registrar: EPAG DOMAINSERVICES GMBH Whois Server: whois.enterprice.net Referral URL: http://www.enterprice.net Domain Name: LIVE.COM Registrar: CSC CORPORATE DOMAINS, INC. Whois Server: whois.corporatedomains.com Referral URL: http://www.cscglobal.com Name Server: NS1.MSFT.NET Name Server: NS2.MSFT.NET Name Server: NS3.MSFT.NET Name Server: NS4.MSFT.NET Name Server: NS5.MSFT.NET Status: clientDeleteProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 08-apr-2009 Creation Date: 28-dec-1994 Expiration Date: 27-dec-2017 >>> Last update of whois database: Wed, 20 Jul 2011 12:28:01 UTC <<< Christopher Carboni - Handler On Duty	Chris 140 Posts
Reply Subscribe	Jul 20th 2011 7 years ago
The whois stuff is a known issue with the way whois for domain names works and does not indicate a problem. See http://lists.grok.org.uk/pipermail/full-disclosure/2003-December/015111.html	Anonymous
Reply Quote	Jul 20th 2011 7 years ago
Your WHOIS lookup is returning a DNS Domain server address somebody registered. It is basically, what I call a form of "WHOIS Spam" When you register a DNS server with the registrar, for example NS1.EXAMPLE.COM, a WHOIS entry is created for the nameserver. If your nameserver happens to be named NS1.blahblahblah.com.foobar.example.com then a WHOIS lookup for blahblahblah.com will find your nameserver in the WHOIS database. And nameserver addresses are displayed in priority over domain names.	Mysid 146 Posts
Reply Quote	Jul 20th 2011 7 years ago
If you get a result which points to jomax.net you k.ow that the DNS server is frontended by a paxfire device. Paxfire == stealin' yer queries since 2004... maybe the bing-lawyers should give gblx a call?	Mysid 2 Posts
Reply Quote	Jul 20th 2011 7 years ago
This appears to be an ISP-specific configuration for a high-traffic hostname. When querying a Global Crossing DNS server, the A records for search.live.com are pointing to IPs owned by Internap and Level3, both of which provide CDN services. Based on my experience, IPs in these netblocks have long been used for content delivery for other popular hostnames. Additionally, Level3 is currently in the process of acquiring Global Crossing.	Mysid 1 Posts
Reply Quote	Jul 20th 2011 7 years ago
This is Paxfire. Paxfire hijacks Yahoo, Bing, and sometimes Google, in cooperation with the ISP to act as a MitM through these proxies. This is in addition to Paxfire's "Normal" behavior of wildcarding NXDOMAINs. We generically detect this in Netalyzr ( http://netalyzr.icsi.berkeley.edu ) .	Mysid 2 Posts
Reply Quote	Jul 20th 2011 7 years ago
It is Global Crossing's DNS servers, looking a little more at our Netalyzr data we see that IP being served by various global crossing resolvers but no other.	Mysid 2 Posts
Reply Quote	Jul 20th 2011 7 years ago
I know this problem since 2010. On a WindowsXP PC running tcpview from sysinternals, I saw connections to strange IPs, when I was connecting to bing (http tcp port 80) So I wrote to my hostmaster: > ----------------------------------------------- > From: Heinrich Elsigan > Sent: monday, 26. July 2010 03:32 > To: hostmaster@chello.at > Subject: DNS Problem > Dear hostmaster, > I retain via DHCP from my cabelmodem the > following name servers ... > Are there poisoned, cause when I make a > nslookup www.bing.com or www.irs.gov I get > strange IPs, that I don't get from anywhere else: > nslookup ww.bing.com. > Name: a134.g.akamai.net > Addresses: 78.128.147.42, 78.128.147.18 > Aliases: www.bing.com, > search.ms.com.edgesuite.net > > nslookup www.irs.gov. > Name: a321.g.akamai.net > Addresses: 78.128.147.26, 78.128.147.24 > Aliases: www.irs.gov, > www.edgeredirector.irs.akadns.net > > Kind Regards, Heinrich. Hostmaster didn't help me, so I talked to other networking expert guys. They mean: "Don't be paranoid, thats a cloudy solution, where every ISP directs search requests to another server, no more round robin at all, maybe they like to make statistics or ..." I answered: "Ah cool, so enduser will never know if its dns poisining or a cloud solution!"	Mysid 2 Posts
Reply Quote	Jul 20th 2011 7 years ago
Take a look, at the following FQDN: www.visa.com www.f-secure.com www.trendmicro.com For example www.visa.com is mostley mapped to a294.g.akamai.net I got these IPs: 2.21.246.80, 2.21.246.79 2.20.182.9, 2.20.182.49 193.170.140.79, 193.170.140.86 See http://www.akamai.com or ask google: http://www.google.com/#q=site:akamai.net&num=100&hl=en&newwindow=1&safe=off&start=0&sa=N Regards heinrich.	Mysid 2 Posts
Reply Quote	Jul 20th 2011 7 years ago
Cloudy is the best way to describe the web now. We spent the last 20 years doing away with what they now call ... the cloud! We built data centers to handle load, and made peering arrangements to various backbones to carry our traffic quickly. Now we are in effect going backwards but doing so in a very awkward way. All of these cloud providers have limitations on what and how you deploy. Next, you can add more virtual kick to your cloud in an instant. But is it your cloud? NO! It is something you share, and something that breaks out serious security threats every step of the way. You controlled your data center, but you do not control the cloud. You controlled your data but now the cloud controls your data. You secured your data, but now the cloud secures your data. You knew when something was broken in your data center and were able to offload to another machine or cluster yourself, now you have no clue when some part of your cloud malfunctions. You had everything, and now you have nothing! The next problem is security form the end-user perspective. What comes from where? Is it supposed to be that way? Can it be trusted? NO, it cannot! Cloud is a cheap way to do things, but it forfeits all of the security we have built into the Internet in one quick shot! I for one do not support anything cloud based, with perhaps the exception of video content delivery which must not have lag time or it will fail. We have enough of a hard time identifying real threats without all of these virtual crap shooters surrounding us! Soon institutions will be forced to block cloud IP ranges to stay secure, and then we will see what happens. The cloud then equals a puddle we step around. It will fail unless something changes fast.	Al of Your Data Center 80 Posts
Reply Quote	Jul 21st 2011 7 years ago
and I thing it is a who is spam also used by small domain sellers	WEB TASARIM 1 Posts
Reply Quote	Jul 24th 2011 7 years ago

Dan wrote in with some interesting results after a co-worker reported an unusual error.

Is anyone else having similar problems/results?

A dns lookup shows the NS records pointing to servers at JOMAX.NET

$ dig search.live.com

; <<>> DiG 9.7.0-P1 <<>> search.live.com

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15688
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;search.live.com

.               IN      A

;; ANSWER SECTION:
search.live.com

.        60      IN      A       69.25.212.52
search.live.com

.        60      IN      A       8.15.228.166

;; AUTHORITY SECTION:
search.live.com

.        65535   IN      NS      WSC2.JOMAX.NET

.
search.live.com

.        65535   IN      NS      WSC1.JOMAX.NET

.

;; Query time: 43 msec
;; SERVER: 10.1.200.16#53(10.1.200.16)
;; WHEN: Wed Jul 20 08:37:46 2011
;; MSG SIZE rcvd: 121

A whois on live.com

is very interesting as well:

~$ whois live.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net

for detailed information.

Server Name: LIVE.COM.ZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM

IP Address: 69.41.185.200
Registrar: TUCOWS.COM

CO.
Whois Server: whois.tucows.com

Referral URL: http://domainhelp.opensrs.net

Server Name: LIVE.COM.ITS-NOT-ROCKET-SCIENCE-MR-RIKY-BLAIKIE.BURTYB.COM

IP Address: 209.85.6.100
Registrar: ENOM, INC.
Whois Server: whois.enom.com

Referral URL: http://www.enom.com
Server Name: LIVE.COM.IS.N0T.AS.1337.AS.GULLI.COM
IP Address: 80.190.192.39
Registrar: EPAG DOMAINSERVICES GMBH
Whois Server: whois.enterprice.net

Referral URL: http://www.enterprice.net
Server Name: LIVE.COM.IS.0WN3D.BY.GULLI.COM
IP Address: 80.190.192.39
Registrar: EPAG DOMAINSERVICES GMBH
Whois Server: whois.enterprice.net

Referral URL: http://www.enterprice.net
Domain Name: LIVE.COM
Registrar: CSC CORPORATE DOMAINS, INC.
Whois Server: whois.corporatedomains.com

Referral URL: http://www.cscglobal.com
Name Server: NS1.MSFT.NET
Name Server: NS2.MSFT.NET
Name Server: NS3.MSFT.NET
Name Server: NS4.MSFT.NET
Name Server: NS5.MSFT.NET

Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 08-apr-2009
Creation Date: 28-dec-1994
Expiration Date: 27-dec-2017

>>> Last update of whois database: Wed, 20 Jul 2011 12:28:01 UTC <<<

Christopher Carboni - Handler On Duty

Chris

140 Posts

The whois stuff is a known issue with the way whois for domain names works and does not indicate a problem. See http://lists.grok.org.uk/pipermail/full-disclosure/2003-December/015111.html

Anonymous

Your WHOIS lookup is returning a DNS Domain server address somebody registered.

It is basically, what I call a form of "WHOIS Spam"

When you register a DNS server with the registrar, for example NS1.EXAMPLE.COM, a WHOIS entry is created for the nameserver.

If your nameserver happens to be named
NS1.blahblahblah.com.foobar.example.com

then a WHOIS lookup for blahblahblah.com
will find your nameserver in the WHOIS database.

And nameserver addresses are displayed in priority over domain names.

Mysid

146 Posts

If you get a result which points to jomax.net you k.ow that the DNS server is frontended by a paxfire device.

Paxfire == stealin' yer queries since 2004... maybe the bing-lawyers should give gblx a call?

Mysid
2 Posts

This appears to be an ISP-specific configuration for a high-traffic hostname. When querying a Global Crossing DNS server, the A records for search.live.com are pointing to IPs owned by Internap and Level3, both of which provide CDN services. Based on my experience, IPs in these netblocks have long been used for content delivery for other popular hostnames. Additionally, Level3 is currently in the process of acquiring Global Crossing.

Mysid
1 Posts

This is Paxfire. Paxfire hijacks Yahoo, Bing, and sometimes Google, in cooperation with the ISP to act as a MitM through these proxies. This is in addition to Paxfire's "Normal" behavior of wildcarding NXDOMAINs. We generically detect this in Netalyzr ( http://netalyzr.icsi.berkeley.edu ) .

Mysid
2 Posts

It is Global Crossing's DNS servers, looking a little more at our Netalyzr data we see that IP being served by various global crossing resolvers but no other.

Mysid
2 Posts

I know this problem since 2010.
On a WindowsXP PC running tcpview from sysinternals, I saw connections to strange IPs,
when I was connecting to bing (http tcp port 80)
So I wrote to my hostmaster:
> -----------------------------------------------
> From: Heinrich Elsigan
> Sent: monday, 26. July 2010 03:32
> To: hostmaster@chello.at
> Subject: DNS Problem
> Dear hostmaster,
> I retain via DHCP from my cabelmodem the
> following name servers ...
> Are there poisoned, cause when I make a
> nslookup www.bing.com or www.irs.gov I get
> strange IPs, that I don't get from anywhere else:
> nslookup ww.bing.com.
> Name: a134.g.akamai.net
> Addresses: 78.128.147.42, 78.128.147.18
> Aliases: www.bing.com,
> search.ms.com.edgesuite.net
>
> nslookup www.irs.gov.
> Name: a321.g.akamai.net
> Addresses: 78.128.147.26, 78.128.147.24
> Aliases: www.irs.gov,
> www.edgeredirector.irs.akadns.net
>
> Kind Regards, Heinrich.

Hostmaster didn't help me, so I talked to other networking expert guys. They mean:
"Don't be paranoid, thats a cloudy solution, where every ISP directs search requests to another server, no more round robin at all, maybe they like to make statistics or ..."
I answered: "Ah cool, so enduser will never know if its dns poisining or a cloud solution!"

Mysid
2 Posts

Take a look, at the following FQDN:
www.visa.com
www.f-secure.com
www.trendmicro.com

For example www.visa.com is mostley mapped to a294.g.akamai.net
I got these IPs:
2.21.246.80, 2.21.246.79
2.20.182.9, 2.20.182.49
193.170.140.79, 193.170.140.86

See http://www.akamai.com
or ask google:
http://www.google.com/#q=site:akamai.net&num=100&hl=en&newwindow=1&safe=off&start=0&sa=N

Regards heinrich.

Mysid
2 Posts

Cloudy is the best way to describe the web now.

We spent the last 20 years doing away with what they now call ... the cloud! We built data centers to handle load, and made peering arrangements to various backbones to carry our traffic quickly.

Now we are in effect going backwards but doing so in a very awkward way. All of these cloud providers have limitations on what and how you deploy. Next, you can add more virtual kick to your cloud in an instant.

But is it your cloud? NO! It is something you share, and something that breaks out serious security threats every step of the way. You controlled your data center, but you do not control the cloud. You controlled your data but now the cloud controls your data. You secured your data, but now the cloud secures your data. You knew when something was broken in your data center and were able to offload to another machine or cluster yourself, now you have no clue when some part of your cloud malfunctions.

You had everything, and now you have nothing!

The next problem is security form the end-user perspective. What comes from where? Is it supposed to be that way? Can it be trusted? NO, it cannot!

Cloud is a cheap way to do things, but it forfeits all of the security we have built into the Internet in one quick shot! I for one do not support anything cloud based, with perhaps the exception of video content delivery which must not have lag time or it will fail.

We have enough of a hard time identifying real threats without all of these virtual crap shooters surrounding us! Soon institutions will be forced to block cloud IP ranges to stay secure, and then we will see what happens. The cloud then equals a puddle we step around. It will fail unless something changes fast.

Al of Your Data Center

80 Posts

and I thing it is a who is spam also used by small domain sellers

WEB TASARIM

1 Posts