|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Dailydave] Scam artists, your web browser, and you
From: Dave Korn (dave.korn
artimi.com)
Date: Wed May 10 2006 - 11:26:35 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 10 May 2006 15:50, Dave Aitel wrote:
> Today I tried to order some tickets from Miami-Heat-Tickets.com (also
> known as Platinumeventsinc.com).
As far as I can see, m-h-t.com doesn't sell tickets, it just has three links
to external websites. Which one were you using?
> (also known as Platinumeventsinc.com)
Where'd you get this from? WHOIS doesn't suggest any linkage that I can
see. Nor could I find any evidence of a connection between the two from the
DNS.
What I *did* discover/remember, OTOH, is that directnic are a bunch of
dns-wildcarding arseholes, and if you've entered "server ns1.directnic.com."
into an nslookup session, it will forge responses to all subsequent
requests... Example: here we go and look up the dns names of those two
websites.
--------------------------------<snip!>--------------------------------
dkrainbow ~> nslookup
Default Server: nutmeg.cam.artimi.com
Address: 192.168.1.3
> set type=ANY
> miami-heat-tickets.com.
Server: nutmeg.cam.artimi.com
Address: 192.168.1.3
Non-authoritative answer:
miami-heat-tickets.com nameserver = ns1.pstring.com
miami-heat-tickets.com nameserver = ns2.pstring.com
> server ns1.pstring.com.
Default Server: ns1.pstring.com
Addresses: 24.173.253.175, 67.79.39.62
> miami-heat-tickets.com.
Server: ns1.pstring.com
Addresses: 24.173.253.175, 67.79.39.62
miami-heat-tickets.com MX preference = 0, mail exchanger =
miami-heat-tickets.com
miami-heat-tickets.com
primary name server = ns1.pstring.com
responsible mail addr = spamtravis.gmail.com
serial = 2005121901
refresh = 14400 (4 hours)
retry = 7200 (2 hours)
expire = 3600000 (41 days 16 hours)
default TTL = 86400 (1 day)
miami-heat-tickets.com nameserver = ns1.pstring.com
miami-heat-tickets.com nameserver = ns2.pstring.com
miami-heat-tickets.com internet address = 24.173.253.175
miami-heat-tickets.com internet address = 24.173.253.175
> platinumeventsinc.com.
Server: ns1.pstring.com
Addresses: 24.173.253.175, 67.79.39.62
Non-authoritative answer:
platinumeventsinc.com nameserver = ns1.directnic.com
platinumeventsinc.com nameserver = ns0.directnic.com
platinumeventsinc.com nameserver = ns0.directnic.com
platinumeventsinc.com nameserver = ns1.directnic.com
ns0.directnic.com internet address = 204.251.10.100
ns1.directnic.com internet address = 209.16.87.100
--------------------------------<snip!>--------------------------------
But what would have happened if we'd tried that in the opposite order?
--------------------------------<snip!>--------------------------------
> server 192.168.1.3
Default Server: [192.168.1.3]
Address: 192.168.1.3
> set type=ANY
> platinumeventsinc.com.
Server: [192.168.1.3]
Address: 192.168.1.3
Non-authoritative answer:
platinumeventsinc.com nameserver = ns0.directnic.com
platinumeventsinc.com nameserver = ns1.directnic.com
ns1.directnic.com internet address = 209.16.87.100
ns0.directnic.com internet address = 204.251.10.100
> server ns0.directnic.com.
Default Server: ns0.directnic.com
Address: 204.251.10.100
> platinumeventsinc.com.
Server: ns0.directnic.com
Address: 204.251.10.100
platinumeventsinc.com
primary name server = ns0.directnic.com
responsible mail addr = hostmaster.ns0.directnic.com
serial = 1016666435
refresh = 28800 (8 hours)
retry = 14400 (4 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
platinumeventsinc.com nameserver = ns0.directnic.com
platinumeventsinc.com nameserver = ns1.directnic.com
platinumeventsinc.com internet address = 206.251.184.40
platinumeventsinc.com MX preference = 10, mail exchanger =
iris1.directnic.com
platinumeventsinc.com MX preference = 10, mail exchanger =
iris2.directnic.com
iris1.directnic.com internet address = 204.251.10.81
iris2.directnic.com internet address = 204.251.10.82
ns0.directnic.com internet address = 204.251.10.100
ns1.directnic.com internet address = 209.16.87.100
> miami-heat-tickets.com.
Server: ns0.directnic.com
Address: 204.251.10.100
miami-heat-tickets.com MX preference = 0, mail exchanger =
iris1.directnic.com
miami-heat-tickets.com internet address = 204.251.15.175
miami-heat-tickets.com MX preference = 10, mail exchanger =
iris2.directnic.com
(root) nameserver = ns0.directnic.com
(root) nameserver = ns1.directnic.com
iris1.directnic.com internet address = 204.251.10.81
iris2.directnic.com internet address = 204.251.10.82
ns0.directnic.com internet address = 204.251.10.100
ns1.directnic.com internet address = 209.16.87.100
>
--------------------------------<snip!>--------------------------------
At least they don't claim to hold the SOA. That would actually be
fraudulent, as opposed to merely wrong/incorrect/dishonest. OTOH, you do
need to have memorized your default DNS server's IP address, because once
you've set your server to directnic, there's no way to set it back from a
named lookup. Note in this example how it poses as my own internal dns
server when I try to set it back to the default:
--------------------------------<snip!>--------------------------------
dkrainbow ~> nslookup
Default Server: nutmeg.cam.artimi.com
Address: 192.168.1.3
> set type=ANY
> www.microsoft.com.
Server: nutmeg.cam.artimi.com
Address: 192.168.1.3
Non-authoritative answer:
www.microsoft.com canonical name = toggle.www.ms.akadns.net
> server ns0.directnic.com.
Default Server: ns0.directnic.com
Address: 204.251.10.100
> www.microsoft.com.
Server: ns0.directnic.com
Address: 204.251.10.100
www.microsoft.com MX preference = 0, mail exchanger =
iris1.directnic.com
www.microsoft.com internet address = 204.251.15.175
www.microsoft.com MX preference = 10, mail exchanger =
iris2.directnic.com
(root) nameserver = ns0.directnic.com
(root) nameserver = ns1.directnic.com
iris1.directnic.com internet address = 204.251.10.81
iris2.directnic.com internet address = 204.251.10.82
ns0.directnic.com internet address = 204.251.10.100
ns1.directnic.com internet address = 209.16.87.100
> www.directnic.sucks.donkeysbollocks.com.
Server: ns0.directnic.com
Address: 204.251.10.100
www.directnic.sucks.donkeysbollocks.com MX preference = 0, mail exchanger =
iris1.directnic.com
www.directnic.sucks.donkeysbollocks.com internet address = 204.251.15.175
www.directnic.sucks.donkeysbollocks.com MX preference = 10, mail exchanger =
iris2.directnic.com
(root) nameserver = ns0.directnic.com
(root) nameserver = ns1.directnic.com
iris1.directnic.com internet address = 204.251.10.81
iris2.directnic.com internet address = 204.251.10.82
ns0.directnic.com internet address = 204.251.10.100
ns1.directnic.com internet address = 209.16.87.100
> server nutmeg.cam.artimi.com.
Default Server: nutmeg.cam.artimi.com
Address: 204.251.15.175
> rainbow.cam.artimi.com.
Server: nutmeg.cam.artimi.com
Address: 204.251.15.175
--------------------------------<snip!>--------------------------------
...which then of course breaks your session because the web-parking host does
not run a name server.[*]
Needless to say, the host at 204.251.15.175:80 doesn't complain when you
send a GET request with a Host: header for a hostname that the machine has no
right to answer for, and delivers you up one of those bogus search/directory
sites. I couldn't find any simple way to inject script through the Host:
header....
cheers,
DaveK
[*] - Yes, I already *know* my sense of humour is not terribly mature! ;)
--
Can't think of a witty .sigline today....
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]