Exstatica

UPDATE: This was an old post, but i noticed that ns1.lv.cox.net is still hijacking irc.mzima.net so i figured an update would be good to this. It doesn’t look like the irc is responding but it could be locked down to cox ips only.

Problem: Looks like various US cable companies are Hijacking DNS of well known irc servers to redirect to their own irc server in order to clean one type of drone. I believe this type of drone is the sd-bot, and its variants.

Incase you didn’t click on the drone link above, or need a better definition of what we consider drones. Drones in the IRC world are machines that have been hacked and used for flooding a user or channel, or used to cause a Denial of Service or Distributed Denial of Service against various targets across the internet.

Evidence:

Using the following dns servers:
ns1.lv.cox.net
ns1.sd.cox.net
ns1.dc.cox.net
(there are many many more dns servers but this is just a handful)

checking irc.vel.net, irc.mzima.net, and irc.dks.ca (there are others but this is broad enough) you can see that the record shows.

bash2-2.05b$ dig @ns1.dc.cox.net irc.mzima.net

; <<>> DiG 9.3.3 <<>> @ns1.dc.cox.net irc.mzima.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2862
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;irc.mzima.net. IN A

;; ANSWER SECTION:
irc.mzima.net. 300 IN A 70.168.70.174

;; AUTHORITY SECTION:
irc.mzima.net. 300 IN NS irc.mzima.net.

;; Query time: 70 msec
;; SERVER: 68.100.16.30#53(68.100.16.30)
;; WHEN: Mon Jul 23 13:47:47 2007
;; MSG SIZE rcvd: 61

bash2-2.05b$

Now for the real record.

bash2-2.05b$ dig @4.2.2.2 irc.mzima.net

; <<>> DiG 9.3.3 <<>> @4.2.2.2 irc.mzima.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53632
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;irc.mzima.net. IN A

;; ANSWER SECTION:
irc.mzima.net. 43200 IN A 216.193.223.223

;; Query time: 5 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Mon Jul 23 13:48:22 2007
;; MSG SIZE rcvd: 47

bash2-2.05b$

You can see Cox has its own ip in the record.

also cox changes the SOA and serial: irc.mzima.net. root.irc.mzima.net. 2005072868 3600 900 86400 3600

real SOA and serial: ns1.lax01.mzima.net. dnsadmin.mzimanetworks.com. 2007083007 7200 3600 1209600 86400

so what happens when you connect to the cox ip address?

Then you get disconnected after a timeout.

Here are screenshots for additional proof.

Other links and reports:

http://anthony.blogs.ablenet.org/
http://whitestar.linuxbox.org/botnets/2007-July/000922.html
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016
http://www.merit.edu/mail.archives/nanog/msg01610.html
http://www.wired.com/threatlevel/2007/07/isp-seen-breaki/

if you are interested in getting in touch with me you can either find me on irc under Exstatica on efnet or by email: exstatica@exstatica.net

So going through my web traffic i notice this is hit all the time. So i figured just post it up to explain it.

I didn’t write it, I’ve just hosted it for a very long time, The guy who did i think you can find by clicking on his name at the bottom.

Its neat idea, and if you get really really stumped let me know and I’ll give you the answer privately. Just contact me via email.

Alright, so i decided that I’d do this whole blog thing and not use aboutmylife. Its still in development, and my blog will probably be eventually moved back over there. but its still got a lot of work to make it a competing product. So it will be back soon I promise.

Besides that I’ve been pretty busy with a ton of work, and its been eating my life up.

Yes I hate SalesLogix, I wish they could make a software package that doesn’t crash.

Gonna go get some lunch now, i’ll finish customizing this a lot later.