www.sco.com no longer has an DNS A record

Sean_Donelan · February 1, 2004, 7:10am

Asia (remember the international date line) started on MyDoom already,
although some reports said the worm used 1609 GMT to start its attack.

SCO appears to have deleted the A record for www.sco.com from their DNS
about 1 hour ago. I don't know how often MyDoom does the DNS lookup, so
it may not stop things.

As far as I can tell, no third-party ISP is blocking traffic to SCO.
Traceroutes by IP address continue to nearly their last upstream hop.
SCO's immediate upstream providers are probably helping.

Adam_Starblazer_Romb · February 1, 2004, 7:36am

SCO appears to have deleted the A record for www.sco.com from their DNS
about 1 hour ago. I don't know how often MyDoom does the DNS lookup, so
it may not stop things.

As of 1:33AM CST, www.sco.com is still resolving... however their A record
has a TTL of 60 seconds. I even queried ns.calderasystems.com directly
and it still answers for www.sco.com and sco.com

Thanks

-a-

Sean_Donelan · February 1, 2004, 7:55am

Looks like SCO has added the records back. I queried
ns.calderasystems.com directly. Here is what it looked like earlier:

$ORIGIN sco.com.
;www 5931 IN SOA ns.calderasystems.com.
hostmaster.caldera.com. (
; 2004013103 3600 900 604800 21600 );sco.com.;NXDOMAIN
;-$
;Cr=auth [216.250.130.1]

W.D_McKinney · February 1, 2004, 8:40am

Odd ....it does not resolve for me. http://www.sco.com

Dee

Christopher_L_Morrow · February 1, 2004, 8:34am

Not being involved I'd guess SCO is adding/removing the record as the
attack waxes and wanes? Trying to keep the number of attackers bouncing
around some?

Raymond_Dijkxhoorn · February 1, 2004, 10:39am

Hi!

> Looks like SCO has added the records back. I queried
> ns.calderasystems.com directly. Here is what it looked like earlier:
>
> $ORIGIN sco.com.
> ;www 5931 IN SOA ns.calderasystems.com.
> hostmaster.caldera.com. (
> ; 2004013103 3600 900 604800 21600 );sco.com.;NXDOMAIN
> ;-$
> ;Cr=auth [216.250.130.1]

Odd ....it does not resolve for me. http://www.sco.com

Perhaps they put netblocks in and out allowed to do lookups once they see
heavy traffic towards www.sco from specific blocks ?

Bye,
Raymond.

Stephen_J_Wilcox1 · February 1, 2004, 10:50am

> Odd ....it does not resolve for me. http://www.sco.com

Not being involved I'd guess SCO is adding/removing the record as the
attack waxes and wanes? Trying to keep the number of attackers bouncing
around some?

So, SCO has accused ISPs of dropping its traffic and has not made any effort to
work with the community on this. Seems they want to take care of this all by
themselves and have no interest in whatever assistance may have been available
from the community.

With that in mind, I'm wondering why folks are bothering to care?!

Steve