Re: [Full-disclosure] I'm not the only one who can't resolve phishtank.com, but some can..
* Michael Ward: but others are working The delegation of phishtank.com has been changed to a typosquatter around 2007-03-25 17:16:30 UTC (or perhaps earlier). The original delegation has been restored in the meantime, but the change was active long enough to appear in Verisign's zone file dumps. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] I'm not the only one who can't resolve phishtank.com, but some can..
; DiG 9.2.3 @dns1.menandmice.com phishtank.com A ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60010 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com. 9071IN A 127.0.0.1 ;; AUTHORITY SECTION: phishtank.com. 167471 IN NS dns2.parkpage.foundationapi.com. phishtank.com. 167471 IN NS dns.parkpage.foundationapi.com. ;; Query time: 197 msec ;; SERVER: 217.151.171.7#53(dns1.menandmice.com) ;; WHEN: Sun Mar 25 18:29:25 2007 ;; MSG SIZE rcvd: 107 but others are working ; DiG 9.3.2 @ns.kloth.net phishtank.com A ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 51509 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com.60 IN A 66.135.40.79 ;; Query time: 64 msec ;; SERVER: 88.198.39.133#53(88.198.39.133) ;; WHEN: Sun Mar 25 20:30:29 2007 ;; MSG SIZE rcvd: 47 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I'm not the only one who can't resolve phishtank.com, but some can..
On 25-Mar-07, at 12:31 PM, Michael Ward wrote: ; DiG 9.2.3 @dns1.menandmice.com phishtank.com A ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60010 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com.9071IN A 127.0.0.1 ;; AUTHORITY SECTION: phishtank.com.167471 IN NS dns2.parkpage.foundationapi.com. phishtank.com.167471 IN NS dns.parkpage.foundationapi.com. ;; Query time: 197 msec ;; SERVER: 217.151.171.7#53(dns1.menandmice.com) ;; WHEN: Sun Mar 25 18:29:25 2007 ;; MSG SIZE rcvd: 107 but others are working ; DiG 9.3.2 @ns.kloth.net phishtank.com A ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 51509 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com. 60 IN A 66.135.40.79 ;; Query time: 64 msec ;; SERVER: 88.198.39.133#53(88.198.39.133) ;; WHEN: Sun Mar 25 20:30:29 2007 ;; MSG SIZE rcvd: 47 Shaw Cablesystems in Calgary ;; ANSWER SECTION: phishtank.com. 14400 IN A 127.0.0.1 Interland server in Georgia ;; ANSWER SECTION: phishtank.com. 60 IN A 66.135.40.79 ;; AUTHORITY SECTION: phishtank.com. 3434IN NS auth1.opendns.com. phishtank.com. 3434IN NS auth2.opendns.com. phishtank.com. 3434IN NS auth3.opendns.com. ;; ADDITIONAL SECTION: auth1.opendns.com. 172634 IN A 38.99.14.20 auth2.opendns.com. 172634 IN A 208.67.219.54 auth3.opendns.com. 172634 IN A 208.69.39.2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I'm not the only one who can't resolve phishtank.com, but some can..
Looks fine for me: ; DiG 9.3.4 phishtank.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 26391 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com. 42 IN A 66.135.40.79 ;; Query time: 4 msec ;; SERVER: 10.0.1.1#53(10.0.1.1) ;; WHEN: Sun Mar 25 15:49:29 2007 ;; MSG SIZE rcvd: 47 - Do some of you happen to have a poisoned MS or Symantec DNS cache upstream of you? (See [1] fmi.) tim 1. http://www.incidents.org/presentations/dnspoisoning.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] I'm not the only one who can't resolve phishtank.com, but some can..
; DiG 9.2.3 @dns1.menandmice.com phishtank.com A ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60010 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com. 9071IN A 127.0.0.1 ;; AUTHORITY SECTION: phishtank.com. 167471 IN NS dns2.parkpage.foundationapi.com. phishtank.com. 167471 IN NS dns.parkpage.foundationapi.com. ;; Query time: 197 msec ;; SERVER: 217.151.171.7#53(dns1.menandmice.com) ;; WHEN: Sun Mar 25 18:29:25 2007 ;; MSG SIZE rcvd: 107 but others are working ; DiG 9.3.2 @ns.kloth.net phishtank.com A ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 51509 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com.60 IN A 66.135.40.79 ;; Query time: 64 msec ;; SERVER: 88.198.39.133#53(88.198.39.133) ;; WHEN: Sun Mar 25 20:30:29 2007 ;; MSG SIZE rcvd: 47 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I'm not the only one who can't resolve phishtank.com, but some can..
I get a valid answer as well: Tracing to phishtank.com[a] via 127.0.0.1, maximum of 3 retries 127.0.0.1 (127.0.0.1) |\___ auth3.opendns.com [phishtank.com] (208.69.39.2) Got authoritative answer |\___ auth2.opendns.com [phishtank.com] (208.67.219.54) Got authoritative answer \___ auth1.opendns.com [phishtank.com] (38.99.14.20) Got authoritative answer auth1.opendns.com (38.99.14.20) phishtank.com - 66.135.40.79 auth2.opendns.com (208.67.219.54) phishtank.com - 66.135.40.79 auth3.opendns.com (208.69.39.2) phishtank.com - 66.135.40.79 What'd I'd do is throw it in your hosts file temporarily until DNS behaves On Sunday 25 March 2007 15:53, Tim wrote: Looks fine for me: ; DiG 9.3.4 phishtank.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 26391 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com.42 IN A 66.135.40.79 ;; Query time: 4 msec ;; SERVER: 10.0.1.1#53(10.0.1.1) ;; WHEN: Sun Mar 25 15:49:29 2007 ;; MSG SIZE rcvd: 47 - Do some of you happen to have a poisoned MS or Symantec DNS cache upstream of you? (See [1] fmi.) tim 1. http://www.incidents.org/presentations/dnspoisoning.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I'm not the only one who can't resolve phishtank.com, but some can..
I'm on a Mac, so I'm pretty sure I don't have any DNS poisoning or evil malware. My hosts is intact: caprica:~ mward$ cat /etc/hosts ## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost On Mar 25, 2007, at 3:53 PM, Tim wrote: Looks fine for me: ; DiG 9.3.4 phishtank.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 26391 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;phishtank.com. IN A ;; ANSWER SECTION: phishtank.com.42 IN A 66.135.40.79 ;; Query time: 4 msec ;; SERVER: 10.0.1.1#53(10.0.1.1) ;; WHEN: Sun Mar 25 15:49:29 2007 ;; MSG SIZE rcvd: 47 - Do some of you happen to have a poisoned MS or Symantec DNS cache upstream of you? (See [1] fmi.) tim 1. http://www.incidents.org/presentations/dnspoisoning.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I'm not the only one who can't resolve phishtank.com, but some can..
I'm on a Mac, so I'm pretty sure I don't have any DNS poisoning or evil malware. My hosts is intact: Um, you might want to read the article. If your upstream DNS cache is poisoned, it doesn't matter what OS you're running. Now, if you're running your own secure cache that goes directly to the roots, then you're right, you'd be immune to this specific attack. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/