DNS spam defined

If you ever did a whois on say google.commiscrosoft.com or yahoo.com you have been most likely been exposed to some obscenity and there is nothing the owners of the named domains can do about it.

This is to say that they or their providers or the dns servers have not been in any way hacked or exploited , responsible for this is a feature (turned into a flaw in the light of this) in whois clients that returns everything within the namespace of the queried domain name.

It did not take long for malicious or plain disgruntled individuals to turn dns spammers by creating a google.com.my.spam.rant.whatever.text.example.com subdomain on their own example.com to spam google whois for example.

As the whois query searches for any entries containing google.com in this case, the subdomain on example.com would be returned too , it is expected behaviour of the program.

Inexplicably unexpected was the exploitation of this , however funny MICROSOFT.COM.SMELLS.SIMPLECODES.COM might look to you , there could have been ways to prevent this being displayed in the whois for microsoft.com

Advertisements

Cisco convergence

vlad_cscoThings are looking up for Cisco Systems and for those lucky CSCO stock owners nowadays as Cisco is well under way towards strong penetration of the telco market , hell they even wap enabled their website just now.

That is a strong 54% gain in the last 4 months , and even brighter forecasts with the stock now almost unanimously rated as sector outperformer , and the fact that they set to buy back 7 billion worth of their own stock does not leave too much room for doubt either.

There is not a single reason behind this but a major one is that as the line between isp and telco providers blurs and the equipment needed becomes essentially the same it is only normal that the big players in telecom like Nortel and Alcatel face greater concurrence from big network players like Cisco (if they seize the niche like they did) as the two markets eventually converge.

Now market convergence is not a new notion , network convergence is clearly a lot newer , but leave it to Aaron Rakers, an analyst with A.G. Edwards & Sons Inc. to give it a dual meaning not even he suspected. “We believe shares of Cisco will continue to perform as … the company is well positioned to continue to benefit from overall network convergence,”

Now don’t get confused just now , people like him use fuzzy and buzzword type talk , and is funny , in straight technical cisco terms “network convergence” generally is when after a topology change in the network , all the routers have seen and assimilated the change the network is said to have converged.

The much informed analyst guy must likely did not mean that Cisco’s stock will perform because their routers propagate and update to a topology changes hence causing the network to converge , while not being a stock catalyst that is clearly a condition that has to be met still … hehe.

Further more , “convergence” by itself is defined by Cisco as : “The consolidation of all communications – voice, data (Internet, ATM, Frame Relay, etc), and video (broadcast TV and video on demand) – onto a single network infrastructure. By placing all communications into digitized packets, convergence makes it easier to combine communications into new or more cost-effective applications, while helping telecommunications companies reduce capital and operational expenses.”

Now , this is the blurring i was talking about , so there is method to corporate madness after all.

To park or not to park

What would you say if not owning a garage your auto seller would supply by default a Mord truck by your house for you to park your new car into and told you this is your only alternative besides buying a garage from them?

Well such a situation is functional concerning Internet domains and this is what happens when you buy a domain and do not have a dns/hosting server.

But what if you are mislead into not taking your car from the truck in the morning , instead letting the truck drive you and your car to work?

This is a new situation where your active Internet domain is still parked on the same server and the traffic is transparently redirected to your server.

Well concerning cars and garages you would probably laugh at such a aberrations and no car maker would even hope such an plan to work just so they can proudly flaunt how many people drive Mord trucks but for Internet domains it works and i will go on detailing how GoDaddy does it.

You see in the last months there was a big racket over how a couple of million sites suddenly switched to windows servers.

Turns out that GoDaddy has moved all of it’s parked sites from linux servers to windows ones.

Well it’s their right to get greedy and host your parked site on whatever system pays off best for them, it legal too and somewhere along the registration you agreed to it.

But when you activate your domain and start using it and they still leave it parked just forwarding your traffic not only is it misleading for you and poisonous for webserver surveys but also damaging to the quality of the service and causing you problems like it did to the person that pointed this out to me.

I am talking about the owner of galacticchaos.net who was asking for alternatives to godaddys’s forced “truck” or expensive “garage” because they intentionally failed to inform him of any.

He , the owner of the domain and the content that should be on it has the ip 70.178.70.116 and the content is served by a Apache webserver.

However galacticchaos.net points to the ip 64.202.189.170 and the content is served by a IIS webserver.

In effect the content of the owner appearing to be hosted from a 2million+ domains** IIS*** webserver, in effect Go Daddy having mislead customers into having their active domains parked and putting up with inferior quality of service and other negative implications.

*whois.sc reports 64.202.189.170 as the ip of the server for galacticchaos.net and PARK5.SECURESERVER.NET**** as the hostname of the dns server for galacticchaos.net

**domaintools.com reports over 2 million domains being hosted on 64.202.189.170

***netcraft.com reports IIS as the webserver on 64.202.189.170

****SECURESERVER.NET and it’s subdomains are known to have shady implications likehttp://aplawrence.com/Security/fake_blacklists.html

PhpBB worms feeding frenzy

It looks like it is going to be a bleak year for PhpBB securitywise , do not get me wrong however , i am a big fan of the software and it is the bulletin board that i will always use.

With not less than 3 major security vulnerabilities in the last 3 months and still hundreds of unpatched installations providing a rich meal for the growing number of phpbb worms , i was recently to discover that some of my phpbb installations were on the menu.

It was about one hour into 27 feb when i took a quick glance on my server logmon screen on my way to bed , and i could not feel unstartled by the chr(32)%252Echr(113)…. strings i see in some recent http requests when the error log prints some messages about writing to /tmp/ , now there is no doubt , i stop apache , kill perl and the shell bot running under it , clear /tmp and start googling.

Introducing CAN-2004-1315 and the Santy/AWS worm variant by some brazilian hackers that with it compromised my system and tried to make it just another zombie on their botnet that the kind people at SANS promtly closed down after my report

Now fast forward to today , i am now all upgraded from phpbb 2.0.5 to 2.0.12 but that does not make me less curious when i see messages about failing to allocate memory , issue i am aware of occuring when doing phpbb backups , but i am not doing any

Introducing CAN-2005-0614 , as i have not upgraded to PhpBB 2.0.13 yet now anyone can perform administrative tasks on my board
Well that by itself is not a security conpromise for my machine , BUT , introducinghttp://www.securityfocus.com/bid/7932 , so it seems that anyone having phpbb admin privileges can also run codeCAN-2004-1235 ) on my machine (and they did) .

Evidently i am now all patched and upgraded to 2.0.13 , one day short of my time for cleaning the box and really concerned about the security future of phpbb as at this time there is still no patch to stop a user with legitimate admin privileges from executing shell code on your system trough admin_styles.php .

So until that is fixed , make sure you trust your phpbb admins .

Introducing SPF namely Sender Policy Framework

Since aprox Sept 2004 there is a new headache for mail server administrators but it is not sure whatever it has the same effect on spammers , like it was intended to , and it’s name is SPF .

It is part of a set of rules that work for the purpose of stopping spam , and it is claimed that in the future all the mail your server send will be seen as spam if you do not implement SPF into your DNS records

There is a new SPF version out that makes use of microsoft’s proprietary Sender ID , which makes it unimplementable in any GNU software , but the classic SPF implamentation does not and is widely implemented in many opensource infrastructures.

You can use a SPF wizard on http://spf.pobox.com/ to generate your TXT record for spf , then add that record to your existing DNS records , that is if you have the ability to add TXT records to your DNS server .

Once you do that here is a tool to test your domain for SPF compliancehttp://www.dnsstuff.com/pages/spf.htm