seen on a local linux mailing list -
It looks like some one broke into VSNL's name server and done some
harm to open source websites I'm now using Airtel's (mantraonline)
name server and able to browser the sites mentioned above any one have
any idea whats happening ??? while nslookup to the VSNL's name server
I'm getting 66.151.179.147 for all those sites. the list includes,
gnomefiles.org
gnome-look.org
gforge.org
mantisbt.org
suresh@frodo 12:23:32 [~]$ whois 66.151.179.147
Internap Network Services PNAP-06-2001 (NET-66-150-0-0-1)
66.150.0.0 - 66.151.255.255
Promosis Inc. PNAP-BSN-PROMO-RM-01 (NET-66-151-179-128-1)
66.151.179.128 - 66.151.179.191
The promosis.com site, however, is an all flash site that says they've
developed promo campaigns for Bose, Oracle, art.com, Forbes etc.
Looks legit ..
Any idea? Something that works when NS is changed couldnt be spyware
on the guy's PC though he is a newbie to linux, and is surfing the net
using firefox on a windows PC
* Suresh Ramasubramanian:
Any idea?
SANS would call this a DNS cache poisoning attack. 
It seems that
ns*.dnsauthority.com uses the shortcut I mentioned earlier.
; <<>> DiG 9.2.4 <<>> @ns4.dnsauthority.com de ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31561
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;de. IN NS
;; ANSWER SECTION:
de. 14400 IN NS ns4.dnsauthority.com.
de. 14400 IN NS ns5.dnsauthority.com.
;; Query time: 120 msec
;; SERVER: 66.151.179.138#53(ns4.dnsauthority.com)
;; WHEN: Wed Apr 20 11:08:47 2005
;; MSG SIZE rcvd: 72
; <<>> DiG 9.2.4 <<>> @ns4.dnsauthority.com enyo.de
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4729
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;enyo.de. IN A
;; ANSWER SECTION:
enyo.de. 14400 IN A 66.151.179.147
;; AUTHORITY SECTION:
de. 14400 IN NS ns4.dnsauthority.com.
de. 14400 IN NS ns5.dnsauthority.com.
;; Query time: 115 msec
;; SERVER: 66.151.179.138#53(ns4.dnsauthority.com)
;; WHEN: Wed Apr 20 11:10:50 2005
;; MSG SIZE rcvd: 93
I cleaned a few PCs that had a search toolbar installed on the browsers.
(Both IE and Firefox) In addition to offering prominent sex links,
other revenues seemed based upon guiding users into trying out a list of
anti-stuff that actually made things worse. One trick, among many nasty
tricks, was to heavily load the /windows/system/driver32/etc/hosts file
to disable sites that may offer a remedy and to also block their
updates. The search toolbar and the anti-stuff were provided by the
same "accredited" company (although using different names). Even
registry settings made it appear some software was loaded, but when the
user attempted to uninstall this bogus software, it fired-up a link that
took them back to anti-stuff site, using IE, which was not the default
browser. I see the same type of service offered here, but by different
names.
-Doug