This morning I couldn’t ssh into my mail account, at least not from my machine. I went to another machine on a different network (and in a different country) and got in from there. Hmm… looks like DNS is all messed up.
If only it was that simple. The front web page for PANIX says (right now).
Panix’s main domain name, panix.com, has been hijacked by parties unknown. Panix staff are currently working around the clock to recover our domain.
For most customers, accesses to Panix using the panix.com domain will not work or will end up at a false site.
As a temporary workaround, you can use the panix.net domain in place of panix.com. In other words, if you’re trying to log onto “shell.panix.com” or see your mail at “mail.panix.com,” use “shell.panix.net” or “mail.panix.net” instead.
Mail to username@panix.com is currently being redirected to the false site , and should be considered lost or compromised if it does not arrive in your Panix mailbox. If you have online accounts that authenticate via email address, you might wish to protect them against fraud by changing that address to your username “@panix.net”.
Holy canoli! That means that all of my mail to my public email address, comdog@panix.com, could be going to the wrong place. Someone has virtually cracked the mail server simply by redefining what the mail server is.
I check out the WHOIS record from my home network. It definitely looks wrong: PANIX is a New York City ISP. What’s all this Las Vegas nonsense? The nameservers are in the UK.
Domain Name.......... panix.com Creation Date........ 1991-04-22 Registration Date.... 2005-01-15 Expiry Date.......... 2006-04-23 Organisation Name.... vanessa Miranda Organisation Address. 1010 Grand Cerritos Ave Organisation Address. Organisation Address. Las Vegas Organisation Address. 89123 Organisation Address. NV Organisation Address. UNITED STATES Admin Name........... na vanessa Miranda Admin Address........ 1010 Grand Cerritos Ave Admin Address........ Admin Address........ Las Vegas Admin Address........ 89123 Admin Address........ NV Admin Address........ UNITED STATES Admin Email.......... jzoh@yahoo.com Admin Phone.......... +44.702413697 Admin Fax............ +44.7026413697 Tech Name............ Domain Admin Tech Address......... Burnhill Business Centre Tech Address......... Tech Address......... Beckenham Tech Address......... BR3 3LA Tech Address......... Kent Tech Address......... GREAT BRITAIN (UK) Tech Email........... admin@powerhost.co.uk Tech Phone........... +44.2082496081 Tech Fax............. +44.2082496076 Name Server.......... ns1.ukdnsservers.co.uk Name Server.......... ns2.ukdnsservers.co.uk
I go to the Internic site to use their whois and get a different answer, and one that has the right nameservers. It seems odd that PANIX would use an Australian company to register their domain.
Domain Name: PANIX.COM Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE Whois Server: whois.melbourneit.com Referral URL: http://www.melbourneit.com Name Server: NS1.ACCESS.NET Name Server: NS2.ACCESS.NET Status: ACTIVE Updated Date: 14-jan-2005 Creation Date: 22-apr-1991 Expiration Date: 23-apr-2006
Now here’s the mind bending part of it all: Some networks haven’t seen or aren’t respecting the changed record, so everything works as normal from those networks. Other networks obey the new registration. Some people can send mail to me and I get it. Some people send mail to me and it might end up on a cracker’s machine.
So, which networks get it and which don’t? Which networks include my banks? Even if my banks don’t send me mail with any compromising information included, they do include some information.
It’s even odder though. Even though the shell hosts do not have DNS entries on my home network (the one using the compromised records), the web server address is just fine. Many other address do not even resolve. It has the same IP number as before, and from another network I can change the web page and see the results. The compromised records have correct entries for some services. If someone is going to hijack the domain, why would they do that? I see a bit of intent there: is there some sort of extortion involved? There is just enough effect to say “We own you”. If someone really wanted the domain, I think they’d just take over everything.
[and, for those of you playing at home (and since this is the first question I get from people, I’m not using any passwords that are sent over the network. Everything I need to get to has my public ssh identity. I log in to the machine and read my mail with PINE. No web mail, no POP, no nothing. :)]
forensics
Are you sure some networks saw the changes, or have some networks already seen the fixes? DNS entires don't just magically change, it takes time. You may have been checking whois/dig half-way through the fix or the attack.
forensics
I'm pretty sure I had a couple of networks with the original data, because an hour later they were showing the hijacked data. When the good DNS entries in some network's cache expire, they "magically" update. In this case they updated with what the computers think is the authorative data.
Today the situation is different. Some networks previously affected are showing the true results again.
Accountability
After the dust clears, is there some way to hold the registrar in Melbourne accountable? Perhaps suspending their ability to register domains for a period of time would be a good idea?
forensics
you were probably seeing some sites still having the old (correct) records, with others having already updated to the newer (cracked) records, and are now seeing other sites which have been updated to the latest (correct) records.
Not every site updates their DNS records at the same interval or the same time (which is a good thing as it prevents network spikes at the main DNS servers).
Nothing automagic, it's probably a cron job on most machines (or a task scheduled internally to the DNS server running on it).
forensics
Yes, I know. I've been watching the records to see who's claiming what. It looks mostly fixed now.
"Automagic" means "no manual intervention" to me. :)