On 2012-10-27 at 03:36 +0000, Tim Huffman wrote: > We are the primary DNS servers for the ben.edu domain. We seem to be > having an issue with an AT&T server that is responding with incorrect > A records for www.ben.edu and ben.edu.
Definitely looks like a cache-poisoning attack. Further, compare and contrast: curl -vH "Host: www.ben.edu" http://208.91.197.132/ ua="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)" curl -vH "Host: www.ben.edu" -H "User-Agent: $ua" http://208.91.197.132/ There's some JavaScript fetching images via fwdservice.com ... looks like it might be Google click-fraud? -Phil _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs