Hi,

This has nothing to do with microsoft security.

Those extra records you are seeing are "host records" that have been added
to internic probably as dns servers. They are not "domain records".
Your whois client is just dumping all search results to the screen and not
differentiating between the two different record types. A typical whois
query like this is a connection to rs.internic.net at TCP port 43.

To better understand the difference between domain records and host
records at internic, refer to the host record submission form:
http://www.networksolutions.com/cgi-bin/makechanges/itts/host

However, when you try to lookup a microsoft.com address, *that* database
is not being used. Instead, the root-servers have a list of authoritative
nameservers that can answer queries for microsoft.com - these are separate
an untainted by the whois clutter that you saw. To see the authoritative
nameservers try dig, like `dig microsoft.com. NS`

*Those* are the servers that get queried when you are asking for something
like www.microsoft.com. This query happens over UDP port 53.

It is interesting that just now those servers don't happen to be resolving
addresses at all, but this is due to downtime or an attack of some sort.
You can verify this yourself by connecting to them directly and sending
your query (when they are back up... `dig upickone www.microsoft.com`

As for why the host records show up in a whois query, it is because your
whois client doesn't ask for them - if you send the proper queries, then
you will get the proper answers.

For example, a smart way to query microsoft.com (that a whois client
should do) would be to connect to rs.internic.net at port 43 and send
"DOMAIN microsoft.com" (without the quotes) this will return a text block
indicating that the records for microsoft.com are maintained at
whois.networksolutions.com. This is an appropriate response since the nic
was broken up (baby nics?). The good client would then connect to
whois.networksolutions.com at port 43 and send "DOMAIN microsoft.com"
(just "microsoft.com" alone would work) then you get the *intended* lookup
for the domain record. Clients such as fwhois that come with Redhat just
send "microsoft.com" in the initial query without specifying (or giving
you an chance to specify) that you just want a domain record and not a
host record. So the deficient clients will get all of these host records
back along with the one true domain record, and the user will have all of
this spew on their screen possibly making them think there is a problem
with microsoft.

Try a `telnet rs.internic.net 43` and see what I mean. The first command
you should send when you telnet there is "HELP".

  "Enter a string to search the database. By default, WHOIS performs a
   very broad search, looking in all record types for matches to your
   query in these fields: domain name, nameserver name, nameserver IP
   address, and registrar names. Use keywords to narrow the search (for
   example, 'domain root')."

Try querying with "nameserver microsoft.com*" and you'll see a list of the
"hacks" but no plain "microsoft.com" entry.

The media didn't seem to understand the issues when they reported wildly
inaccurate hype about this awhile back, and apparently this misconception
is still widespread. It's not a microsoft hack, it's a user error in
properly querying (or using the right tools to query) the whois databases.
It purely coincidental that there is a dns resolution problem with
microsoft right now. The whois "trick" has been around for months.

Max Vision
http://whitehats.com/

On Wed, 24 Jan 2001, IT2 Milly Rivera-Fisher wrote:

> Good Morning...
> This is my first posting. While many of you are probably not at work yet
> (it's currently 1:24pm in Italy) I have been working with two other tech's
> trying to figure out why our customer can't access any microsoft sites.
> Among other things, we searched on of the WHOIS db's and, well....
>
> Whois Server Version 1.3
> >
> > Domain names in the .com, .net, and .org domains can now be registered
> > with many different competing registrars. Go to http://www.internic.net
> > for detailed information.
> >
> > MICROSOFT.COM.WILL.LIVE.FOREVER.BUT.LUNIX.SUCKS-BYBIRTH.ARTISTICCHEESE.COM
> > MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM
> > MICROSOFT.COM.SE.FAIT.HAX0RIZER.PAR.TOUT.LE.ZOY.ORG
> > MICROSOFT.COM.OWNED.BY.MAT.HACKSWARE.COM
> > MICROSOFT.COM.N-AIME.BILL.QUE.QUAND.IL.N-EST.PAS.NU
> > MICROSOFT.COM.MUST.STOP.TAKEDRUGS.ORG
> > MICROSOFT.COM.IS.SOON.GOING.TO.THE.DEATHCORPORATION.COM
> > MICROSOFT.COM.IS.SECRETLY.RUN.BY.ILLUMINATI.TERRORISTS.NET
> > MICROSOFT.COM.IS.NOTHING.BUT.A.MONSTER.ORG
> > MICROSOFT.COM.IS.NO.MATCH.FOR.THE.UEBER-GEEKS.AT.JIMPHILLIPS.ORG
> > MICROSOFT.COM.IS.GOD.BUT.LINUX.SUCKS-FOREVER.ARTISTICCHEESE.COM
> > MICROSOFT.COM.IS.BORING.COMPARED.TO.TEENEXTREME.COM
> > MICROSOFT.COM.IS.AT.THE.MERCY.OF.DETRIMENT.ORG
> > MICROSOFT.COM.INSPIRES.COPYCAT.WANNABE.SUBVERSIVES.NET
> > MICROSOFT.COM.HAS.NO.LINUXCLUE.COM
> > MICROSOFT.COM.HACKED.BY.PSYKOJOKO.ON.A.ROOT-NETWORK.COM
> > MICROSOFT.COM.HACKED.BY.HACKSWARE.COM
> > MICROSOFT.COM.GUTS.NL
> > MICROSOFT.COM.FAIT.VRAIMENT.DES.LOGICIELS.A.TROIS.FRANCS.DOUZE.ORG
> > MICROSOFT.COM.ER.IKKE.NO.I.FORHOLD.TIL.LATHANS.NET
> > MICROSOFT.COM.AINT.WORTH.SHIT.KLUGE.ORG
> > MICROSOFT.COM
> >
> > To single out one record, look it up with "xxx", where xxx is one of the
> > of the records displayed above. If the records are the same, look them up
> > with "=xxx" to receive a full display for each record.
>
> I guess, nothing should surprise me these days. Which brings me to ...You
> can never get enough "SECURITY" Training. I would hate to be amongst the
> Security team at Microsoft.
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]