Promosis? Who are these guys?
seen on a local linux mailing list -
It looks like some one broke into VSNL's name server and done some harm to open source websites I'm now using Airtel's (mantraonline) name server and able to browser the sites mentioned above any one have any idea whats happening ??? while nslookup to the VSNL's name server I'm getting 66.151.179.147 for all those sites. the list includes, gnomefiles.org gnome-look.org gforge.org mantisbt.org
suresh@frodo 12:23:32 [~]$ whois 66.151.179.147 Internap Network Services PNAP-06-2001 (NET-66-150-0-0-1) 66.150.0.0 - 66.151.255.255 Promosis Inc. PNAP-BSN-PROMO-RM-01 (NET-66-151-179-128-1) 66.151.179.128 - 66.151.179.191 The promosis.com site, however, is an all flash site that says they've developed promo campaigns for Bose, Oracle, art.com, Forbes etc. Looks legit .. Any idea? Something that works when NS is changed couldnt be spyware on the guy's PC though he is a newbie to linux, and is surfing the net using firefox on a windows PC -- Suresh Ramasubramanian (ops.lists@gmail.com)
* Suresh Ramasubramanian:
Any idea?
SANS would call this a DNS cache poisoning attack. 8-) It seems that ns*.dnsauthority.com uses the shortcut I mentioned earlier. ; <<>> DiG 9.2.4 <<>> @ns4.dnsauthority.com de ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31561 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;de. IN NS ;; ANSWER SECTION: de. 14400 IN NS ns4.dnsauthority.com. de. 14400 IN NS ns5.dnsauthority.com. ;; Query time: 120 msec ;; SERVER: 66.151.179.138#53(ns4.dnsauthority.com) ;; WHEN: Wed Apr 20 11:08:47 2005 ;; MSG SIZE rcvd: 72 ; <<>> DiG 9.2.4 <<>> @ns4.dnsauthority.com enyo.de ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4729 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;enyo.de. IN A ;; ANSWER SECTION: enyo.de. 14400 IN A 66.151.179.147 ;; AUTHORITY SECTION: de. 14400 IN NS ns4.dnsauthority.com. de. 14400 IN NS ns5.dnsauthority.com. ;; Query time: 115 msec ;; SERVER: 66.151.179.138#53(ns4.dnsauthority.com) ;; WHEN: Wed Apr 20 11:10:50 2005 ;; MSG SIZE rcvd: 93
On Wed, 2005-04-20 at 12:38 +0530, Suresh Ramasubramanian wrote:
seen on a local linux mailing list -
It looks like some one broke into VSNL's name server and done some harm to open source websites I'm now using Airtel's (mantraonline) name server and able to browser the sites mentioned above any one have any idea whats happening ??? while nslookup to the VSNL's name server I'm getting 66.151.179.147 for all those sites. the list includes, gnomefiles.org gnome-look.org gforge.org mantisbt.org
suresh@frodo 12:23:32 [~]$ whois 66.151.179.147 Internap Network Services PNAP-06-2001 (NET-66-150-0-0-1) 66.150.0.0 - 66.151.255.255 Promosis Inc. PNAP-BSN-PROMO-RM-01 (NET-66-151-179-128-1) 66.151.179.128 - 66.151.179.191
The promosis.com site, however, is an all flash site that says they've developed promo campaigns for Bose, Oracle, art.com, Forbes etc. Looks legit ..
Any idea? Something that works when NS is changed couldnt be spyware on the guy's PC though he is a newbie to linux, and is surfing the net using firefox on a windows PC
I cleaned a few PCs that had a search toolbar installed on the browsers. (Both IE and Firefox) In addition to offering prominent sex links, other revenues seemed based upon guiding users into trying out a list of anti-stuff that actually made things worse. One trick, among many nasty tricks, was to heavily load the /windows/system/driver32/etc/hosts file to disable sites that may offer a remedy and to also block their updates. The search toolbar and the anti-stuff were provided by the same "accredited" company (although using different names). Even registry settings made it appear some software was loaded, but when the user attempted to uninstall this bogus software, it fired-up a link that took them back to anti-stuff site, using IE, which was not the default browser. I see the same type of service offered here, but by different names. -Doug
participants (3)
-
Douglas Otis
-
Florian Weimer
-
Suresh Ramasubramanian