thr3ads.net - freebsd security - DNS of FreeBSD.org been Attacked!? [Mar 2009]

If this information is useful, please help other people find it:
Share via:

James Chang

2009-Mar-24 00:14 UTC

DNS of FreeBSD.org been Attacked!?

Dear all,

      I found some strange DNS query result these days.

Show the strange result as following :<

C:\Documents and Settings\Administrator>nslookup ftp11.tw.freebsd.org
168.95.1.1

Server:  dns.hinet.net
Address:  168.95.1.1

Name:    ftp11.tw.freebsd.org.com.tw
Address:  82.98.86.170

C:\Documents and Settings\Administrator>nslookup ftp6.tw.freebsd.org
168.95.1.1
Server:  dns.hinet.net
Address:  168.95.1.1

Name:    ftp6.tw.freebsd.org.com.tw
Address:  82.98.86.170

      Both ftp6.tw.freebsd.org and ftp11.tw.freebsd.org
has the same IP adderess, and this IP address seems
belong to a malice domain!

       Could anyone have good idea?

UEDA Hiroyuki

2009-Mar-24 01:16 UTC

head link

DNS of FreeBSD.org been Attacked!?

Hello,

> C:\Documents and Settings\Administrator>nslookup ftp11.tw.freebsd.org
168.95.1.1
> 
> Server:  dns.hinet.net
> Address:  168.95.1.1
> 
> Name:    ftp11.tw.freebsd.org.com.tw                               ^^^^^^^^
You seem to nslookup "ftp11.tw.freebsd.org.COM.TW". If it's right,
> Address:  82.98.86.170
is correct as follows:

$ dig A ftp11.tw.freebsd.org.com.tw

; <<>> DiG 9.2.4 <<>> A ftp11.tw.freebsd.org.com.tw
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53400
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp11.tw.freebsd.org.com.tw.   IN      A

;; ANSWER SECTION:
ftp11.tw.freebsd.org.com.tw. 600 IN     A       82.98.86.170

So you had better check your PC's settings.


BTW, a wild card record(*.org.com.tw) is probably used. For example, I
got same results with following queries:

$ dig A foo.bar.freebsd.org.com.tw
$ dig A foo.bar.org.com.tw
$ dig A foo.org.com.tw


Best regards.

-----
UEDA Hiroyuki <ueda@netforest.ad.jp>
Netforest Inc., JAPAN

Clifton Royston

2009-Mar-24 10:51 UTC

head link

DNS of FreeBSD.org been Attacked!?

On Tue, Mar 24, 2009 at 12:00:24PM +0000, freebsd-security-request@freebsd.org
wrote:> Date: Tue, 24 Mar 2009 14:56:10 +0800
> From: James Chang <james.technew@gmail.com>
> Subject: DNS of FreeBSD.org been Attacked!?
> To: freebsd-security@freebsd.org
> Message-ID:
> 	<a951c2910903232356y4faa9fd6nb3ebfd2215ca4d39@mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Dear all,
> 
>       I found some strange DNS query result these days.
> 
> Show the strange result as following :<
> 
> C:\Documents and Settings\Administrator>nslookup ftp11.tw.freebsd.org
168.95.1.1
> 
> Server:  dns.hinet.net
> Address:  168.95.1.1
> 
> Name:    ftp11.tw.freebsd.org.com.tw
> Address:  82.98.86.170
  Correct the configuration of your Windows machine (under Connection
Properties -> TCP/IP properties -> Advanced -> DNS -> "Append
these DNS
suffixes", so that ".com.tw" is not appended as your domain by
default.
Otherwise, things won't work well for you.

  This is in no way a FreeBSD issue.
  -- Clifton

-- 
    Clifton Royston  --  cliftonr@iandicomputing.com / cliftonr@lava.net
       President  - I and I Computing * http://www.iandicomputing.com/
 Custom programming, network design, systems and network consulting services

freebsd security - Mar 2009 - DNS of FreeBSD.org been Attacked!?

DNS of FreeBSD.org been Attacked!?

DNS of FreeBSD.org been Attacked!?

DNS of FreeBSD.org been Attacked!?