Hey Well I suppose that would get rid of some of the script kiddies bots off of their network... http://www.dslreports.com/forum/remark,12922412 http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016 Though...I cannot think of another means to achieve their goal. However I wonder how they generated what records to point to their servers. Is it simply anything with irc.* ? I suppose it would stop the script kiddies if they didnt use their own unique DNS and specified a different port in the config before compiling. Typically zombies are set to listen to the topic commands in order to either continue a DDoS attack or like scan for other hosts to infect. This would prevent the bots from getting a valid command to start scanning or DDoS, or in this case .remove would remove the bot from their customers computer (unless the default command character was changed), so I suppose it gets what they want, DDoS's to not originate in their network + XDCC Bots being created from zombies etc etc, credit card, zombie bots can be set to listen for paypal information and credit card information etc...but at the same time causing problems for their customers who legitimately use IRC. If weighed, I believe their problems with DDoS bots is weighted more heavily then the few who legitimately use IRC. I suppose they can always use like psyBNC to connect to IRC. I agree with their goal but not really the means they are using reach their goal. If they are going to manipulate DNS to do this...how far will they go with other problems? Raymond Corbin Support Analyst HostMySite.com (sorry if it this posted twice...outlook froze on me :( ) -----Original Message----- From: owner-nanog@merit.edu on behalf of Andrew Matthews Sent: Sun 7/22/2007 5:56 PM To: nanog@merit.edu Subject: DNS Hijacking by Cox It looks like cox is hijacking dns for irc servers. bash2-2.05b$ nslookup
server 68.6.16.30 Default server: 68.6.16.30 Address: 68.6.16.30#53 irc.vel.net Server: 68.6.16.30 Address: 68.6.16.30#53
Name: irc.vel.net Address: 70.168.71.144
server ns1.vel.net Default server: ns1.vel.net Address: 207.182.224.10#53 irc.vel.net Server: ns1.vel.net Address: 207.182.224.10#53
Name: irc.vel.net Address: 64.161.255.2 it looks like they are using it to clean drones, when you connect to their fake irc server you get forced joined into a channel. #martian_ [INFO] Channel view for "#martian_" opened. -->| YOU (andrew.m) have joined #martian_ =-= Mode #martian_ +nt by localhost.localdomain =-= Topic for #martian_ is ".bot.remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is ".remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is ".uninstall" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is "!bot.remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is "!remove" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM =-= Topic for #martian_ is "!uninstall" =-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM <Marvin_> .bot.remove <Marvin_> .remove <Marvin_> .uninstall <Marvin_> !bot.remove <Marvin_> !remove isn't there a law against hijacking dns? What can i do to persue this?