Your security doesn't always matter

by brian d foy


This morning I couldn't ssh into my mail account, at least not from my machine. I went to another machine on a different network (and in a different country) and got in from there. Hmm... looks like DNS is all messed up.



If only it was that simple. The front web page for PANIX says (right now).



Panix's main domain name, panix.com, has been hijacked by parties unknown. Panix staff are currently working around the clock to recover our domain.

For most customers, accesses to Panix using the panix.com domain will not work or will end up at a false site.

As a temporary workaround, you can use the panix.net domain in place of panix.com. In other words, if you're trying to log onto "shell.panix.com" or see your mail at "mail.panix.com," use "shell.panix.net" or "mail.panix.net" instead.

Mail to username@panix.com is currently being redirected to the false site , and should be considered lost or compromised if it does not arrive in your Panix mailbox. If you have online accounts that authenticate via email address, you might wish to protect them against fraud by changing that address to your username "@panix.net".



Holy canoli! That means that all of my mail to my public email address, comdog@panix.com, could be going to the wrong place. Someone has virtually cracked the mail server simply by redefining what the mail server is.



I check out the WHOIS record from my home network. It definitely looks wrong: PANIX is a New York City ISP. What's all this Las Vegas nonsense? The nameservers are in the UK.




Domain Name.......... panix.com
Creation Date........ 1991-04-22
Registration Date.... 2005-01-15
Expiry Date.......... 2006-04-23
Organisation Name.... vanessa Miranda
Organisation Address. 1010 Grand Cerritos Ave
Organisation Address.
Organisation Address. Las Vegas
Organisation Address. 89123
Organisation Address. NV
Organisation Address. UNITED STATES

Admin Name........... na vanessa Miranda
Admin Address........ 1010 Grand Cerritos Ave
Admin Address........
Admin Address........ Las Vegas
Admin Address........ 89123
Admin Address........ NV
Admin Address........ UNITED STATES
Admin Email.......... jzoh@yahoo.com
Admin Phone.......... +44.702413697
Admin Fax............ +44.7026413697

Tech Name............ Domain Admin
Tech Address......... Burnhill Business Centre
Tech Address.........
Tech Address......... Beckenham
Tech Address......... BR3 3LA
Tech Address......... Kent
Tech Address......... GREAT BRITAIN (UK)
Tech Email........... admin@powerhost.co.uk
Tech Phone........... +44.2082496081
Tech Fax............. +44.2082496076
Name Server.......... ns1.ukdnsservers.co.uk
Name Server.......... ns2.ukdnsservers.co.uk



I go to the Internic site to use their whois and get a different answer, and one that has the right nameservers. It seems odd that PANIX would use an Australian company to register their domain.




Domain Name: PANIX.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: NS1.ACCESS.NET
Name Server: NS2.ACCESS.NET
Status: ACTIVE
Updated Date: 14-jan-2005
Creation Date: 22-apr-1991
Expiration Date: 23-apr-2006



Now here's the mind bending part of it all: Some networks haven't seen or aren't respecting the changed record, so everything works as normal from those networks. Other networks obey the new registration. Some people can send mail to me and I get it. Some people send mail to me and it might end up on a cracker's machine.



So, which networks get it and which don't? Which networks include my banks? Even if my banks don't send me mail with any compromising information included, they do include some information.



It's even odder though. Even though the shell hosts do not have DNS entries on my home network (the one using the compromised records), the web server address is just fine. Many other address do not even resolve. It has the same IP number as before, and from another network I can change the web page and see the results. The compromised records have correct entries for some services. If someone is going to hijack the domain, why would they do that? I see a bit of intent there: is there some sort of extortion involved? There is just enough effect to say "We own you". If someone really wanted the domain, I think they'd just take over everything.



[and, for those of you playing at home (and since this is the first question I get from people, I'm not using any passwords that are sent over the network. Everything I need to get to has my public ssh identity. I log in to the machine and read my mail with PINE. No web mail, no POP, no nothing. :)]


5 Comments

msporleder
2005-01-16 06:49:12
forensics
Are you sure some networks saw the changes, or have some networks already seen the fixes? DNS entires don't just magically change, it takes time. You may have been checking whois/dig half-way through the fix or the attack.
brian_d_foy
2005-01-16 09:38:16
forensics
I'm pretty sure I had a couple of networks with the original data, because an hour later they were showing the hijacked data. When the good DNS entries in some network's cache expire, they "magically" update. In this case they updated with what the computers think is the authorative data.


Today the situation is different. Some networks previously affected are showing the true results again.

bpschuck
2005-01-16 17:08:13
Accountability
After the dust clears, is there some way to hold the registrar in Melbourne accountable? Perhaps suspending their ability to register domains for a period of time would be a good idea?
jwenting
2005-01-17 03:41:24
forensics
you were probably seeing some sites still having the old (correct) records, with others having already updated to the newer (cracked) records, and are now seeing other sites which have been updated to the latest (correct) records.


Not every site updates their DNS records at the same interval or the same time (which is a good thing as it prevents network spikes at the main DNS servers).


Nothing automagic, it's probably a cron job on most machines (or a task scheduled internally to the DNS server running on it).

brian_d_foy
2005-01-17 04:49:17
forensics
Yes, I know. I've been watching the records to see who's claiming what. It looks mostly fixed now.


"Automagic" means "no manual intervention" to me. :)