[Dshield] odd site appears to KILL DNS on RedHat 9 and Mozilla 1.2.1

John Sage jsage at finchhaven.com
Wed Nov 26 15:40:38 GMT 2003


OK: reset, here...

On Wed, Nov 26, 2003 at 08:47:42AM +0000, Roger Hart wrote:
> Date: Wed, 26 Nov 2003 08:47:42 +0000
> From: Roger Hart <rogerhart555 at tiscali.co.uk>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
> 	rv:1.5) Gecko/20031007
> To: General DShield Discussion List <list at dshield.org>
> Subject: Re: [Dshield] odd site appears to KILL DNS on RedHat 9 and Mozilla
> 	1.2.1
> Old-X-Envelope-To: list at dshield.org
> 
> Embedded  protection code has been around for some time. 

*What* "embedded protection code"?

Did you actually take a moment to look at the html of the website in
question?

Aside from being riddled with newlines, tabs and spaces, it appears to
be quite normal.

This at the very top:

<!-- Powered by NQContent, Copyright Netquest 1999-2003-->
<!-- http://www.nqcontent.com -->

seems to refer to the tools used for website implementation in
ColdFusion, as is shown in the search implementation, thus:

<table border="0" cellpadding="0" cellspacing="0">
<form action="nqcontent.cfm?a_id=57" method="post">
<tr><td colspan="2">
<label for="searchfield" id="searchtitle">Search</label>

And as for NQContent itself:

"NQcontent is an award winning Web Content Management solution that
addresses the most demanding Site management and Administration
needs. Having both developers' and end users' needs in mind, NQcontent
simplifies the process of content and data management. It's low cost,
ease of use and fast deployment, make it the ideal tool with which to
build and update dynamic sites. With NQcontent, "time to web" is
measured in weeks - not months."

This does not seem very suspicious.


> For instance: 
> pre 9/11, Islamist groups were using simple code in an attempt to ensure 
> that only those invited by email were able to access their sites. It's 
> used to keep out prying eyes and it can be very effective. Nowadays, 
> simple code is used by amateurish activist groups, script kiddies and 
> their ilk.

What in god's name are you talking about?

The site in discussion is at the University of California, Davis, and
is in fact the online version of the student paper:

"The California Aggie (USPS 858-180) is entered as second-class mail
with the United States Post Office, Davis, Calif., 95616.

Printed Monday through Friday during the academic year and twice a
week in the summer at The Davis Enterprise, Davis, Calif.,
95616. Accounting services are provided by ASUCD."


> You're lucky you only suffered DNS lookup failure; 

This has yet to be established. Did you make any attempt to discover
exactly what symptoms the original poster was experiencing before you
blindly accepted his diagnosis?


> some of 
> the more advanced code, as used by modern professional criminals, 
> terrorists and activists groups, can crash, and do damage to, even a 
> protected machine or network. 

WTF?

What code? Did you even bother to look at the html, or did you just
jump to an exciting conclusion without any thought whatsoever?

Did you put even one moment into research before you posted?


> If you're concerned the site may fit into 
> one of the categories outlined above, inform the authorities and let 
> them check it out. Unless you're a spook, a cop or a professional bounty 
> hunter, put it down to experience, add the site to your blocked URL list 
> and forget it.
> 
> Incidentally, both sites mentioned below appear in the IE-Spyad lists.

So what?

Maybe "IE-Spyad" doesn't understand ColdFusion and *.cfm web pages..

What relevance does this have for the original poster, who very
clearly stated he was using Mozilla running under Linux?


I continue to be dumbfounded by the utter lack of research,
critical thoughtfulness, and intellectual rigor that is evident in so
many posts to the dshield list in the last year...


- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.




More information about the list mailing list