Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

.com cache / domain hijacking?

From: "Vanish Pattni (DSL AK)" <VanishP () datacom co nz>
Date: Sun, 21 Sep 2003 14:50:34 +1200
Hi,

This might be just us but today our cache entries for the .com domain
changed rather mysteriously from the usual verisign ones to the following:

;; QUESTION SECTION:
;com.                           IN      NS

;; ANSWER SECTION:
com.                    21428   IN      NS      ns2.hi2000.com.
com.                    21428   IN      NS      ns1.hi2000.com.

;; ADDITIONAL SECTION:
ns2.hi2000.com.         21425   IN      A       61.175.199.134
ns1.hi2000.com.         21424   IN      A       61.175.199.133


The two ns1 and ns2 entries here are some machines in China -- unless
verisign has moved their gtld's recently. Has anyone come across this? Our
machine is a patched NT server running MS DNS server. Is there a new exploit
out that I have possibly missed?

I checked with other name servers around NZ and they seem all right --
perhaps this is platform dependent or something.

Vanish Pattni
Network and Security Analyst
Datacom Systems Limited 
New Zealand

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: