[Dshield] Email and Websites Impersonating eBay

John Sage jsage at finchhaven.com
Sat Oct 18 21:00:00 GMT 2003


oh! oh! oh! me! me! me!

/* waves hand in air */

On Sat, Oct 18, 2003 at 12:52:08PM -0400, Johannes Ullrich wrote:

/* snip */

> hehe... little challange:
> how do you know that 'https://secure.dshield.org' is actually associated
> with 'DShield.org', myself or the SANS Institute?

/* sharpens #3 pencil */

[jsage at sparky /storage/virii] $ dig @greatwall secure.dshield.org
 
; <<>> DiG 9.2.1 <<>> @greatwall secure.dshield.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13934
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 2
 
;; QUESTION SECTION:
;secure.dshield.org.            IN      A
 
;; ANSWER SECTION:
secure.dshield.org.     60      IN      A       65.173.218.101
 
;; AUTHORITY SECTION:
dshield.org.            3600    IN      NS      ns1.giac.net.
dshield.org.            3600    IN      NS      ns1.homepc.org.
dshield.org.            3600    IN      NS      ns2.giac.net.
dshield.org.            3600    IN      NS      ns2.homepc.org.
dshield.org.            3600    IN      NS      ns3.homepc.org.
dshield.org.            3600    IN      NS      ns4.homepc.org.
 
;; ADDITIONAL SECTION:
ns1.giac.net.           80388   IN      A       65.173.218.103
ns2.giac.net.           80388   IN      A       63.100.47.43
 
;; Query time: 4571 msec
;; SERVER: 192.168.1.2#53(greatwall)
;; WHEN: Sat Oct 18 13:52:10 2003
;; MSG SIZE  rcvd: 207


[jsage at sparky /storage/virii] $ whois 65.173.218.101
BW whois 3.4 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2003 William E. Weinman
Request: 65.173.218.101
connected to whois.arin.net [192.149.252.43:43] ...
Sprint SPRINTLINK-2-BLKS (NET-65-160-0-0-1)
                                  65.160.0.0 - 65.174.255.255
ESCAL INSTITUTE OF ADVANCED FON-1101912576101565 (NET-65-173-218-0-1)
                                  65.173.218.0 - 65.173.218.255
 
# ARIN WHOIS database, last updated 2003-10-17 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.


[jsage at sparky /storage/virii] $ whois NET-65-173-218-0-1
BW whois 3.4 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2003 William E. Weinman
Request: NET-65-173-218-0-1
connected to whois.arin.net [192.149.252.43:43] ...
 
OrgName:    ESCAL INSTITUTE OF ADVANCED
OrgID:      EIA-16
Address:    5401 WESTBARD AVE SUITE 1501
City:       BETHESDA
StateProv:  MD
PostalCode: 20816
Country:    US
 
NetRange:   65.173.218.0 - 65.173.218.255
CIDR:       65.173.218.0/24
NetName:    FON-1101912576101565
NetHandle:  NET-65-173-218-0-1
Parent:     NET-65-160-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2002-05-29
Updated:    2002-05-29
 
TechHandle: MF974-ARIN
TechName:   FEARNOW, MATT
TechPhone:  +1-317-580-9756
TechEmail:  MATT at sans.org
 
OrgTechHandle: MF974-ARIN
OrgTechName:   FEARNOW, MATT
OrgTechPhone:  +1-317-580-9756
OrgTechEmail:  MATT at sans.org
 
# ARIN WHOIS database, last updated 2003-10-17 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.




I'd say Matt, and SANS...




- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.




More information about the list mailing list