Documentation of Hijacking of IRC Servers by Timewarner/AOL/Cox
UPDATE: This was an old post, but i noticed that ns1.lv.cox.net is still hijacking irc.mzima.net so i figured an update would be good to this. It doesn’t look like the irc is responding but it could be locked down to cox ips only.
Problem: Looks like various US cable companies are Hijacking DNS of well known irc servers to redirect to their own irc server in order to clean one type of drone. I believe this type of drone is the sd-bot, and its variants.
Incase you didn’t click on the drone link above, or need a better definition of what we consider drones. Drones in the IRC world are machines that have been hacked and used for flooding a user or channel, or used to cause a Denial of Service or Distributed Denial of Service against various targets across the internet.
Evidence:
Using the following dns servers:
ns1.lv.cox.net
ns1.sd.cox.net
ns1.dc.cox.net
(there are many many more dns servers but this is just a handful)
checking irc.vel.net, irc.mzima.net, and irc.dks.ca (there are others but this is broad enough) you can see that the record shows.
bash2-2.05b$ dig @ns1.dc.cox.net irc.mzima.net
; <<>> DiG 9.3.3 <<>> @ns1.dc.cox.net irc.mzima.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2862
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;irc.mzima.net. IN A
;; ANSWER SECTION:
irc.mzima.net. 300 IN A 70.168.70.174
;; AUTHORITY SECTION:
irc.mzima.net. 300 IN NS irc.mzima.net.
;; Query time: 70 msec
;; SERVER: 68.100.16.30#53(68.100.16.30)
;; WHEN: Mon Jul 23 13:47:47 2007
;; MSG SIZE rcvd: 61
bash2-2.05b$
Now for the real record.
bash2-2.05b$ dig @4.2.2.2 irc.mzima.net
; <<>> DiG 9.3.3 <<>> @4.2.2.2 irc.mzima.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53632
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;irc.mzima.net. IN A
;; ANSWER SECTION:
irc.mzima.net. 43200 IN A 216.193.223.223
;; Query time: 5 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Mon Jul 23 13:48:22 2007
;; MSG SIZE rcvd: 47
bash2-2.05b$
You can see Cox has its own ip in the record.
also cox changes the SOA and serial: irc.mzima.net. root.irc.mzima.net. 2005072868 3600 900 86400 3600
real SOA and serial: ns1.lax01.mzima.net. dnsadmin.mzimanetworks.com. 2007083007 7200 3600 1209600 86400
so what happens when you connect to the cox ip address?
| [INFO] | Network view for “70.168.71.144” opened. | |
| [INFO] | Attempting to connect to “70.168.71.144”. Use /cancel to abort. | |
| [INFO] | Connecting to irc://70.168.71.144/ (irc://70.168.71.144/)… | |
| === | *** Looking up your hostname… | |
| === | *** Checking Ident | |
| === | *** No Ident response | |
| === | Welcome to the Internet Relay Network Drew | |
| === | Your host is localhost[localhost/6667], running version 2.8/hybrid-6.2 | |
| === | *** Your host is localhost[localhost/6667], running version 2.8/hybrid-6.2 | |
| === | This server was created Thu Dec 6 2001 at 11:52:49 EST | |
| === | localhost.localdomain 2.8/hybrid-6.2 oOiwszcrkfydnxb biklmnopstve | |
| === | There are 2 users and 0 invisible on 1 servers | |
| === | I have 2 clients and 0 servers | |
| === | Current local users: 2 Max: 2 | |
| === | Current global users: 2 Max: 2 | |
| === | Highest connection count: 2 (2 clients) (2 since server was (re)started) | |
| === | - localhost.localdomain Message of the Day - | |
| === | - Where’s the kaboom? There was supposed to be an earth shattering kaboom. |
| [INFO] | Channel view for “#martian_” opened. | |
| –>| | YOU (Drew) have joined #martian_ | |
| =-= | Mode #martian_ +nt by localhost.localdomain | |
| =-= | Topic for #martian_ is “.bot.remove” | |
| =-= | Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM | |
| =-= | Topic for #martian_ is “.remove” | |
| =-= | Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM | |
| =-= | Topic for #martian_ is “.uninstall” | |
| =-= | Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM | |
| =-= | Topic for #martian_ is “!bot.remove” | |
| =-= | Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM | |
| =-= | Topic for #martian_ is “!remove” | |
| =-= | Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM | |
| =-= | Topic for #martian_ is “!uninstall” | |
| =-= | Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM | |
| <Marvin_> | .bot.remove | |
| <Marvin_> | .remove | |
| <Marvin_> | .uninstall | |
| <Marvin_> | !bot.remove | |
| <Marvin_> | !remove |
Then you get disconnected after a timeout.
Here are screenshots for additional proof.
Other links and reports:
http://anthony.blogs.ablenet.org/
http://whitestar.linuxbox.org/botnets/2007-July/000922.html
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016
http://www.merit.edu/mail.archives/nanog/msg01610.html
http://www.wired.com/threatlevel/2007/07/isp-seen-breaki/
if you are interested in getting in touch with me you can either find me on irc under Exstatica on efnet or by email: exstatica@exstatica.net
