[Intrusions] RE Question

Mike Chandler mchandl1 at san.rr.com
Wed May 4 00:58:00 GMT 2005 

Thanks to all.  The problem is resolved.  There were two problems here.

The first was that I was being redirected to http://tcrc.acor.org/.  My
dynamic IP address on the cable modem expired and was renewed to a new
number.  Viola, the problem went away.  Somebody must have used the old IP
to attack the right-thinking.com web site.  (Imagine that.)

The second, a mismatch between the true IP for http://tcrc.acor.org/ and the
63.236.73.251 IP in my packet capture seems to be an aberation.  (See Mike
Kinke's email below in == brackets.)  I did a nslookup using several name
servers spread throughout the internet.  The results the were the same for
each lookup (206.127.37.142).  I can't explain the single return of on
63.236.73.251, I didn't notice a difference in the browser.

Thanks again.  It is always educational posting to this site.  I miss the
submissions for the practicals, but it is still a great site.

===============Mike Klinke's post===================

> length: 40) 63.236.73.251.80 > 192.168.1.172.1197: . [tcp sum ok]

Just to add a little more wierdness to your day, the IP address you
were re-directed to above doesn't appear to be the correct address
for tcrc.acor.org.

I had no problems getting to "right-thinking" from here.

Regards, Mike Klinke
=============================================

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org]On Behalf Of Schmehl, Paul L
Sent: Monday, May 02, 2005 8:39 AM
To: Intrusions List (GCIA Practicals)
Subject: RE: [Intrusions] RE Question


> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Joel Esler
> Sent: Saturday, April 30, 2005 8:31 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] RE Question
>
> I'd hate to be hasty about it, as I am still laying in bed
> this morning... *yawn*
>
> My thoughts are..  DNS poisoning,

Precisely my thoughts as well.  Looking at the packets, it looks
suspiciously familiar to other DNS poisoning instances that I have seen.

The question is, whose DNS is being poisoned?

Mike, are you running a MS DNS server internal to your network?  Does
your ISP run an MS DNS server?

Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list