Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC]
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 21 Nov 2007 09:56:49 -0600

--On Wednesday, November 21, 2007 21:45:35 +1100 XSS Worm XSS Security 
Information Portal <cross-site-scripting-security () xssworm com> wrote:

In the case of Yahoo, security firm Finjan said hackers exploited an
unused IP address within Yahoo's hierarchy and used that as the domain
address behind a forged Google Analytics domain name. This fooled the
Finjan Web-filtering product into believing a person was going to a
highly trusted Yahoo domain. The victims, customers of Finjan, never knew
they were on a malicious Web site, and neither did the security
mechanisms on the network. (In this case, Finjan's Web-filtering

"They managed to resolve the domain name to an IP address owned by Yahoo.
How they added an address into a DNS server to appear to be an IP address
owned by Yahoo is unknown ," Yuval Ben-Itzhak, CTO of Finjan, told
InternetNews.com. He added that Yahoo, while responsive and quick to shut
down the compromised address, did not disclose exactly what equipment was
behind the compromised IP address.

If Yahoo was able to fix the problem quickly, then it would appear that 
Yahoo had a compromised domain server or servers.

Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]