Jump to content


Photo
- - - - -

Hi-Jacking NS records


  • Please log in to reply
10 replies to this topic

#1 xGERMx

xGERMx

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 459 posts

Posted 14 November 2006 - 12:48 PM

Okay, today at work I met a new client who wants us to make her website a little more user friendly. I think to myself, okay nothing unusual here typical work. The first thing I wanted to do was backup her existing files so I attempted to FTP into her site and thats when the fun started.
<Some Background Info: she does not host her own site>
The first thing I did was open a browser to ftp.foobar.com just to check things out but instead of actually going to "ftp://ftp.foobar.com" dumbass IE went to "http://ftp.foobar.com".
Low and behold, it was a completely different site. In fact, it was http://www.libertybooks.com/
So my question here is simply WTF? :cuss:
I then logged into the actual ftp "ftp://ftp.foobar.com" to check for unusual files, but I found nothing; only the clients legit files were in there.
After doing some lookups with www.dnsstuff.com and www.dnsreports.com I came to find that they both have a DNS A record at 64.226.28.33 and I'm thinking this might be where the problem exists.
Does anyone have any idea how this could've happened or what to do next?

My Web-foo is weak and I thank you in advance. ^_^

#2 nwbell

nwbell

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 339 posts
  • Location:320-land

Posted 14 November 2006 - 02:10 PM

Perhaps the host is doing virtual hosting with Apache or something similar, and only told Apache about www.foobar.com in her list of aliases. This is quite common, AFAIK - seems especially so among smaller hosts.

The only UNcommon part here is that they would appear to have put a customer as the first host on that IP, instead of a test page or something. When Apache gets a request for a DNS name which doesn't specifically appear in the list of vhost aliases, it just returns the first host in the list that is bound to that IP.

I haven't really looked at it yet, but that would be my guess.

#3 anubis26

anubis26

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 378 posts
  • Location:Chicago

Posted 14 November 2006 - 09:12 PM

I hope her site isn't actually foobar.com
If it is, just make an index file and job done!

#4 xGERMx

xGERMx

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 459 posts

Posted 14 November 2006 - 10:31 PM

I hope her site isn't actually foobar.com
If it is, just make an index file and job done!

and if not...?

#5 Tushot03

Tushot03

    Gibson Hacker

  • Members
  • 79 posts

Posted 24 January 2007 - 08:34 AM

it will depend on how the dns records are set on the server it is on but a good percentage of sites do need the start page to be called index.html or index.php or index.asp you get the idea lol then that file will link to the other files on the server

Edited by Tushot03, 24 January 2007 - 08:36 AM.


#6 tehbizz

tehbizz

    Progenitor of noob slaying

  • Members
  • 2,039 posts
  • Gender:Male

Posted 25 January 2007 - 07:52 PM

it will depend on how the dns records are set on the server it is on but a good percentage of sites do need the start page to be called index.html or index.php or index.asp you get the idea lol then that file will link to the other files on the server


DNS records have nothing to do with how the web server itself is configured to recognize a default index file. The two are unrelated.

#7 banshee412

banshee412

    HACK THE PLANET!

  • Members
  • 65 posts

Posted 25 January 2007 - 08:17 PM

Seems like they host quite a bit of stuff. I checked 208.67.219.40 which is what www.libertybooks.com resolves to against rus-cert's passive dns server lookup and came up with the following. Some even look like they might be phishing sites.

http://cert.uni-stut...mp;submit=Query

www.ena A 208.67.219.40
208.172.158.xn--182-6y3b A 208.67.219.40
www.amoza.de A 208.67.219.40
yushengxu-pc.faho.rwth-aachen.de A 208.67.219.40
wpad.faho.rwth-aachen.de A 208.67.219.40
isatap.faho.rwth-aachen.de A 208.67.219.40
www.amozon.de A 208.67.219.40
www.amazon.com.sg A 208.67.219.40
www.amazon.sg A 208.67.219.40
www.ebay.sg A 208.67.219.40
wwww.cnbeta.com A 208.67.219.40
photo.91trip.com A 208.67.219.40
www.mydrivers.com A 208.67.219.40
img1.pconline.com.cn A 208.67.219.40
www.discuz.net A 208.67.219.40

#8 Alk3

Alk3

    "I Hack, therefore, I am"

  • Binrev Financier
  • 1,003 posts
  • Gender:Not Telling
  • Location:312 Chi-town

Posted 25 January 2007 - 11:43 PM

Seems like they host quite a bit of stuff. I checked 208.67.219.40 which is what www.libertybooks.com resolves to against rus-cert's passive dns server lookup and came up with the following. Some even look like they might be phishing sites.

http://cert.uni-stut...mp;submit=Query

www.ena A 208.67.219.40
208.172.158.xn--182-6y3b A 208.67.219.40
www.amoza.de A 208.67.219.40
yushengxu-pc.faho.rwth-aachen.de A 208.67.219.40
wpad.faho.rwth-aachen.de A 208.67.219.40
isatap.faho.rwth-aachen.de A 208.67.219.40
www.amozon.de A 208.67.219.40
www.amazon.com.sg A 208.67.219.40
www.amazon.sg A 208.67.219.40
www.ebay.sg A 208.67.219.40
wwww.cnbeta.com A 208.67.219.40
photo.91trip.com A 208.67.219.40
www.mydrivers.com A 208.67.219.40
img1.pconline.com.cn A 208.67.219.40
www.discuz.net A 208.67.219.40


ROFL

#9 Tushot03

Tushot03

    Gibson Hacker

  • Members
  • 79 posts

Posted 29 January 2007 - 04:40 AM

DNS records have nothing to do with how the web server itself is configured to recognize a default index file. The two are unrelated.


So with this comment in mind am i wrong to think that a domain needs to point to name servers ie dns records to resolve the web site on a webserver. If it happens to be pointing to different name servers than what are in the dns records on the web server then that will therefore not give a webpage when you type in a web address as it is not resolved on anything correctly

#10 xGERMx

xGERMx

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 459 posts

Posted 29 January 2007 - 02:42 PM

Seems like they host quite a bit of stuff. I checked 208.67.219.40 which is what www.libertybooks.com resolves to against rus-cert's passive dns server lookup and came up with the following. Some even look like they might be phishing sites.
...



I saw a few posts on SlashDot of people having some similar problems with that nameserver and LibertyBooks so I don't think I'm alone here. The only thing that doesn't add up is the fact that LibertyBooks is a very popular (trustworthy?) store that has been around for a few years (very oppisite of most phising sites). So, that doesn't leave them with a motivation to change DNS information (unless they aren't phishing and are just trying to create illegitimate traffic).

Since this incident, I manually changed NX records respectivly and changed a few passwords and have not had any problems.

#11 tehbizz

tehbizz

    Progenitor of noob slaying

  • Members
  • 2,039 posts
  • Gender:Male

Posted 30 January 2007 - 08:35 PM

DNS records have nothing to do with how the web server itself is configured to recognize a default index file. The two are unrelated.


So with this comment in mind am i wrong to think that a domain needs to point to name servers ie dns records to resolve the web site on a webserver. If it happens to be pointing to different name servers than what are in the dns records on the web server then that will therefore not give a webpage when you type in a web address as it is not resolved on anything correctly


Domains *are* pointed to servers with NS records but that doesn't mean they'll serve up web pages. If a domain is pointing to NS records other than those specified in the zone file on the server that is currently hosting the site, you won't see anything at all depending on how often your ISP's slave DNS servers update. You could see a blank page or you could see what you're intended to see.

Do not think that just because a domain points somewhere that it will serve up a web page. To answer your original question, you should just study the DNS RFCs and how DNS works.




BinRev is hosted by the great people at Lunarpages!