[ale] AOL, DNS poisoning and spam

Michael H. Warfield mhw at wittsend.com
Wed Apr 6 18:22:39 EDT 2005


On Wed, 2005-04-06 at 16:21 -0400, James P. Kinney III wrote:
> I just read the DNS poisoning notice from /.  I went to www.aol.com and
> noticed the site was taking forever to load as the url bar at the bottom
> of firefox kept saying waiting on http300.content.edge.ru4.com 

	Ok...  So what is your resolver pointing to?  There are a LOT of people
trying to track this down and a lot of it appears to be compromised
Windows based DNS servers.  The jury is still out if it's compromised
Windows systems which have been taken over or if it's truely DNS cache
poisoning.  Researchers are wanting to get at compromised DNS servers
and analyze what has happened at them.

> The whois on ru4.com looks like a spammer to me. (OK, so does AOL, but
> that's a different thread).

	So...  Run the command "dig www.aol.com" and tell us what you get.
Also, what is in your "/etc/resolve.conf" file?  I'll pass the
information on to the security community.

	Note to that some "pharming" attacks are targeting the mhosts files on
Windows boxes and will have the same effect.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list