[ale] AOL, DNS poisoning and spam

H. Adrin Story adrin at haswes.homelinux.org
Wed Apr 6 20:22:21 EDT 2005 

Hey,

I got
; <<>> DiG 9.2.3 <<>> www.aol.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30657
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.aol.com.                   IN      A

;; ANSWER SECTION:
www.aol.com.            1808    IN      CNAME   www.gwww.aol.com.
www.gwww.aol.com.       47      IN      A       64.12.187.22

;; AUTHORITY SECTION:
gwww.aol.com.           234     IN      NS      mtc-gdns004.ns.aol.com.
gwww.aol.com.           234     IN      NS      dtc-gdns004.ns.aol.com.

;; Query time: 52 msec
;; SERVER: 205.152.144.23#53(205.152.144.23)
;; WHEN: Wed Apr  6 20:12:31 2005
;; MSG SIZE  rcvd: 123

I think the *.ru4.com is the popup and adds on the webpage.  www.aol.com 
looks okay to me. but then I wouldn't know if it was bad. wait AOL is 
bad isn't it?


Michael H. Warfield wrote:
> On Wed, 2005-04-06 at 16:21 -0400, James P. Kinney III wrote:
> 
>>I just read the DNS poisoning notice from /.  I went to www.aol.com and
>>noticed the site was taking forever to load as the url bar at the bottom
>>of firefox kept saying waiting on http300.content.edge.ru4.com 
> 
> 
> 	Ok...  So what is your resolver pointing to?  There are a LOT of people
> trying to track this down and a lot of it appears to be compromised
> Windows based DNS servers.  The jury is still out if it's compromised
> Windows systems which have been taken over or if it's truely DNS cache
> poisoning.  Researchers are wanting to get at compromised DNS servers
> and analyze what has happened at them.
> 
> 
>>The whois on ru4.com looks like a spammer to me. (OK, so does AOL, but
>>that's a different thread).
> 
> 
> 	So...  Run the command "dig www.aol.com" and tell us what you get.
> Also, what is in your "/etc/resolve.conf" file?  I'll pass the
> information on to the security community.
> 
> 	Note to that some "pharming" attacks are targeting the mhosts files on
> Windows boxes and will have the same effect.
> 
> 	Mike
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list