Discussion:
A cute trick seen in the wild...
(too old to reply)
James Vahn
2004-10-13 18:49:33 UTC
Permalink
host tashman.net
tashman.net has address 63.206.230.106
tashman.net has address 192.168.1.2
Dig deeper and I think you'll find a very confused Windows system admin
rebuilding his domain server. :-)

He might enjoy a FAX, the number is listed: 1-626-291-2972
<chuckle>


--
James Vahn
2004-10-14 15:14:52 UTC
Permalink
Oh, it's even better than that. ;-) He is being *forced* by his ISP,
PacBell, to rebuild his DNS box, as well as his domain server. I gather my
complaint to PacBell this morning may have lit off some considerable
interest on their part, as his entire domain disappeared from view earlier
today. <sigh>
Mmm, I watched him do that- he gave his nameserver a private 192.168.x.x
LAN address, which effectively removed him from the internet. It's fixed this
morning, but the rest is still bamboozled and back online. Kinda like things
I do here at home. <chuckle>

I think we're looking at incompetence more than intentional misdeeds, and
there's a bit of trash at the end of his DNS records (below) to support this
notion.

His nameserver (dual450x) is very slow. Interestingly ns1.tashman.net
contains DNS records and responds much faster but has been taken out of
the loop for some reason. As a matter of fact, it contains the records
that caused him to dissappear.

Both machines are set up as nameservers and mailservers, yet he has their
DNS roles reversed as far as conventional nomenclature goes; look at the
names he uses for the MX and NS designations:

=====================
~$ host -a tashman.net dual450x.tashman.net
tashman.net A 63.206.230.106
tashman.net A 192.168.1.2
tashman.net >>>>> NS dual450x.tashman.net
tashman.net SOA dual450x.tashman.net admin (
780 ;serial (version)
900 ;refresh period (15 minutes)
600 ;retry interval (10 minutes)
86400 ;expire time (1 day)
3600 ;default ttl (1 hour)
)
tashman.net >>>>> MX 10 ns1.tashman.net
tashman.net 65281 # ( ; unknown type
00 00 00 00 00 00 00 02 00 00 03 84 00 00 00 02 ; ................
C0 A8 01 02 3F CE E6 6A ; ....?..j
)
!!! tashman.net 65281 record has zero ttl
=====================

I'm guessing that he has simply copied his bad nameserver files to another
machine, hoping that would fix it. From where I sit, the above error looks
like maybe he used a # instead of a ; for a configuration comment.

Dunno for sure, but I think he just blundered and is attempting to fix
things. But what is he fixing? How did he come to your attention?


--
Dave Laird
2004-10-14 18:01:07 UTC
Permalink
Good morning, James...
Post by James Vahn
Mmm, I watched him do that- he gave his nameserver a private 192.168.x.x
LAN address, which effectively removed him from the internet. It's fixed
this morning, but the rest is still bamboozled and back online. Kinda like
things I do here at home. <chuckle>
Me too. <huge grin> Sort of like the first time I tried to create a
caching name server for the kharma.net domain. ;-)
Post by James Vahn
I think we're looking at incompetence more than intentional misdeeds, and
there's a bit of trash at the end of his DNS records (below) to support
this notion.
It does look that way, doesn't it? <laughing> At first I thought it was
intentional, but upon further review, I think he's simply clueless. I
cannot come up with any other plausible reason why he would configure his
name servers that way.
Post by James Vahn
Both machines are set up as nameservers and mailservers, yet he has their
DNS roles reversed as far as conventional nomenclature goes; look at the
Hmph. I didn't catch that until just now. Now that is REALLY cute. They're
reversed, all right.
Post by James Vahn
I'm guessing that he has simply copied his bad nameserver files to another
machine, hoping that would fix it. From where I sit, the above error looks
like maybe he used a # instead of a ; for a configuration comment.
Dunno for sure, but I think he just blundered and is attempting to fix
things. But what is he fixing? How did he come to your attention?
He sent several SPAM messages which contained several header forgeries.
One was a really unique address : ***@aol.com. I nearly died laughing
over that one, but perhaps that is an inadvertent reflection upon his
technical ability, I don't know.

So when I started tracking his host name backwards, I found his DNS boxes
with the private IP addresses and then REALLY started looking a little
closer. He'd apparently been sending mail out through that box for quite
some time before he figured out what was wrong. <laughing> It certainly
would explain some of his earlier gaffes.

Dave
--
Dave Laird (***@kharma.net)
The Used Kharma Lot / The Phoenix Project
Web Page: http://www.kharma.net updated 10/08/2004
Usenet News server: news.kharma.net

An automatic & random thought For the Minute:
If there is no wind, row.
-- Polish proverb
James Vahn
2004-10-14 22:39:13 UTC
Permalink
Post by Dave Laird
Me too. <huge grin> Sort of like the first time I tried to create a
caching name server for the kharma.net domain. ;-)
Yeah! Like that. :-)
Post by Dave Laird
He sent several SPAM messages which contained several header forgeries.
over that one, but perhaps that is an inadvertent reflection upon his
technical ability, I don't know.
Distributed computing at its finest. :(
Big surge of connections from everywhere and then nothing. The spammers
are using viruses to form networks. Think of the coverage! Send just one
spam to your 1000 box network and instantly send millions of copies all
over the place. They don't even bother to check for good addresses anymore,
it's just SPEW using infected Windows computers.

Check this out:

~# grep -ie "discard$" /var/log/mail/mail.log.0 |wc -l
48947

~# grep "Sent" /var/log/mail/mail.log.0 |wc -l
223

Nearly 50 thousand connections broke before hardly any data completed
crossing the wire. :-)


--
Dave Laird
2004-10-15 03:27:41 UTC
Permalink
Good evening, James...
Post by James Vahn
Distributed computing at its finest. :(
NOT!
Post by James Vahn
Big surge of connections from everywhere and then nothing. The spammers
are using viruses to form networks. Think of the coverage! Send just one
spam to your 1000 box network and instantly send millions of copies all
over the place. They don't even bother to check for good addresses
anymore, it's just SPEW using infected Windows computers.
This is more or less what another person and I have been talking about for
several weeks. They are setting up huge national and international
networks using viruses to infect Windows workstations and then
establishing a covert kind of infected network once the ad hoc "network"
is in place, right? If I don't miss my bet, I just recently saw an example
of this very kind of behavior in the wild.

PLUS, some say if the attackers are running a little bit short on infected
Windows machines, they apparently wheel out a little bit of slightly
unstable source code they've had for several months that deliberately
attacks Norton and Semantic Anti-virus for Windows, turn off the
anti-virus features and then they take them hostage, as well. One guy in
Seattle sent me a mini-script that showed where a Windoze box running
Norton for Networks even was *allowed* to update its virus signature file
and then turned back off before it detected the new-and-improved virus.

Talk about elitism!
Post by James Vahn
~# grep -ie "discard$" /var/log/mail/mail.log.0 |wc -l
48947
~# grep "Sent" /var/log/mail/mail.log.0 |wc -l
223
Nearly 50 thousand connections broke before hardly any data completed
crossing the wire. :-)
Oh dear. Might as well go buy a bigger pipe, as this could mean half my
DSL could potentially be used for broken connections. I think I'll take
out the latest Fedora, Mandrake and Debian and take another look at some
of its new features. <sigh> I understand the newest Snort has new tools
that purportedly are pretty tough on illicit connections.

Have you heard anything (good or bad) about it?

Dave
--
Dave Laird (***@kharma.net)
The Used Kharma Lot / The Phoenix Project
Web Page: http://www.kharma.net updated 10/08/2004
Usenet News server: news.kharma.net

An automatic & random thought For the Minute:
No man is useless who has a friend, and if we are loved we are
indispensable.
-- Robert Louis Stevenson
Dave Laird
2004-10-15 12:27:55 UTC
Permalink
Good morning, James...

It's a new day, and it turns out just the way you said it yesterday. Two
days in succession I literally was glued to this chair watching the little
gerbils attacking and hacking, and this morning, other than some clod from
houston.rr.com trying on the news server (what part of no_permission do
they understand?) it's as quiet as the proverbial lamb.
Played with it for a while, the commercial version is available free for
non-commercial use. "Big Brother" but I've forgotten the site name (or am
I thinking of Spong?). Frankly I found Snort annoying- mostly alerts on
file changes made by my own hand. Plenty of easier victims to be had, so
my need for running Snort is/was almost nil. But a full-time connection
like yours certainly could use it. Snort is probably the best IDS there
is.
"apt-get install snort"
I got it apparently just before you wrote this (above). <grin> It took
less than an hour to give me a false alert. <grin>
Install nessus too, while you're at it. Run it against your clients'
machines to test them, saving the reports in HTML for show and tell.
They will of course want it all fixed.
Jah sure. I fix it right up. <laughing>

Dave
--
Dave Laird (***@kharma.net)
The Used Kharma Lot / The Phoenix Project
Web Page: http://www.kharma.net updated 10/08/2004
Usenet News server: news.kharma.net

An automatic & random thought For the Minute:
Of ______course it's the murder weapon. Who would frame someone with
a fake?
Dave Laird
2004-10-17 00:26:48 UTC
Permalink
Evening, James...
Debian uses "include" files. The default is a caching-only nameserver, it
helps prevent repeated lookups from your ISP and speeds things up a bit.
apt-get install bind9 bind9-doc
I don't have a "real" nameserver, but here's what I use to keep Sendmail
$TTL 86400
@ IN SOA f3.n346.z1 root. (
123456789 ; Serial
7200 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ; Default TTL
)
@ IN NS localhost.
f3.n346.z1.ftn. A 10.0.0.2
f5.n346.z1.ftn. MX 10 f3.n346.z1.ftn.
<....default stuff clipped.....>
zone "ftn" {
type master;
notify no;
allow-transfer { none; };
file "/etc/bind/db.ftn";
};
Hmmm...Where's your forwarders? How does it work without a forwarder to
send the queries to?
f5.n346.z1.ftn. CNAME f3.n346.z1.ftn.
guess I'll have to read the directions. :-)
At least I'm not alone. That makes me feel much better. 8-)

Dave
--
Dave Laird (***@kharma.net)
The Used Kharma Lot / The Phoenix Project
Web Page: http://www.kharma.net updated 10/08/2004
Usenet News server: news.kharma.net

An automatic & random thought For the Minute:
Mason's First Law of Synergism:
The one day you'd sell your soul for something, souls are a glut.
James Vahn
2004-10-17 04:44:15 UTC
Permalink
Post by Dave Laird
Hmmm...Where's your forwarders? How does it work without a forwarder to
send the queries to?
It uses the root servers by default, but you should put your isp's
nameservers in "named.conf.options". It's faster and you don't need
to worry about maintaining a list of root server IP's.


--
James Vahn
2004-10-18 13:35:59 UTC
Permalink
Post by Dave Laird
guess I'll have to read the directions. :-)
At least I'm not alone. That makes me feel much better. 8-)
I read 'em.. This isn't far from becoming suitable for kharma.net :

$TTL 86400
@ IN SOA ns0.n346.z1.ftn. root. (
1 ; Serial
7200 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ; Default TTL
);
TXT "Local FTN network"
NS ns0.n346.z1.ftn.
NS ns1.n346.z1.ftn.
ns0.n346.z1.ftn. A 10.0.0.2
ns1.n346.z1.ftn. A 10.0.0.2
mail.n346.z1.ftn. A 10.0.0.2
f3.n346.z1.ftn. A 10.0.0.2
p1.n346.z1.ftn. A 10.0.0.1
f3.n346.z1.ftn. MX 10 mail.n346.z1.ftn.
f5.n346.z1.ftn. MX 10 f3.n346.z1.ftn.
n346.z1.ftn. CNAME f3.n346.z1.ftn.
z1.ftn. CNAME f3.n346.z1.ftn.


--

Loading...