|
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Mike Raiford wrote:
> What happens is this: You click on a website (in my wife's case, it was
> a result form a google search, in my case, a bookmark to Tor Olav's
> website) but instead of the site you were expecting you're redirected to
> some bogus website.
> My work computer appears clean, according to the eTrust scanner. Her
> computer appears clean according to Norton. I see no suspicious
> processes running on either computer, and all settings and relevant
> registry entries look fine. WTF is happening?
http://en.wikipedia.org/wiki/Dns_poisoning
http://en.wikipedia.org/wiki/Pharming
Certainly sounds like you're recieving bad DNS information from
somewhere or other. The question is where it's coming from.
It could be that your PC is compromosed, your ISP's DNS servers are
compromised, your local router... hard to say for sure.
It's certainly not something I've ever seen myself...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
http://www.ngssoftware.com/papers/ThePharmingGuide.pdf
Check it out. A 37-page document, and not *once* do they manage to
correctly use an apostrophy. Nice.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> http://www.ngssoftware.com/papers/ThePharmingGuide.pdf
>
> Check it out. A 37-page document, and not *once* do they manage to
> correctly use an apostrophy. Nice.
An online identity of a customer --> A customer's online identity
Online identities of customers --> Customers' online identities
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
>> http://www.ngssoftware.com/papers/ThePharmingGuide.pdf
>>
>> Check it out. A 37-page document, and not *once* do they manage to
>> correctly use an apostrophy. Nice.
>
> An online identity of a customer --> A customer's online identity
> Online identities of customers --> Customers' online identities
These guys seem to take the route of simply not using apostrphies *at
all*, which is arguably more annoying than using them wrong...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 09/22/09 08:49, Invisible wrote:
> http://www.ngssoftware.com/papers/ThePharmingGuide.pdf
>
> Check it out. A 37-page document, and not *once* do they manage to
> correctly use an apostrophy. Nice.
Apostrophe.
--
I'm not afraid of heights... I'm afraid of depths.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Mike Raiford wrote:
> I'm wondering if its at all possible to slip a poisoned entry into an
> ISP's cache.
It used to be trivially easy. DNS works over UDP, so a DNS server would
send out a request for an address, and when the next server replied, it
would go into the cache - no need to track requests vs replies. "Poisoning"
just consisted of sending replies with bogus answers to servers that hadn't
asked for them.
I don't know how they eliminated that problem.
--
Darren New, San Diego CA, USA (PST)
I ordered stamps from Zazzle that read "Place Stamp Here".
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> It used to be trivially easy. DNS works over UDP, so a DNS server would
> send out a request for an address, and when the next server replied, it
> would go into the cache - no need to track requests vs replies.
> "Poisoning" just consisted of sending replies with bogus answers to
> servers that hadn't asked for them.
>
> I don't know how they eliminated that problem.
Each DNS request apparently has a unique ID. The server is supposed to
disregard any replies containing IDs that do not match any pending requests.
The server is also supposed to disregard any entries in the reply packet
which are not relevant to the query it actually issued. (E.g., look up
hackersoftheworld.com and have your DNS server send back
hackersoftheworld.com = XXX, amazon.com = YYY. The server is supposed to
disregard the second item, since it's unrelated to the actual query.)
Now, whether this is what happens in the field, IDK...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> Now, whether this is what happens in the field, IDK...
I think it started happening shortly after hackers started poisoning domain
caches. :-) Otherwise, it just slows you down.
--
Darren New, San Diego CA, USA (PST)
I ordered stamps from Zazzle that read "Place Stamp Here".
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Mike Raiford wrote:
> What happens is this: You click on a website (in my wife's case, it was
> a result form a google search, in my case, a bookmark to Tor Olav's
> website) but instead of the site you were expecting you're redirected to
> some bogus virus scanner website, which then tells you you have hundreds
> of infected files and to download their "virus scanner", which is
> actually a trojan horse, that loads up your computer with all sorts of
> malware, then demands you pay for the program to clean your infected
> computer.
I have seen this behavior with viruses, the annoying Vundo strain in
particular. It leaves the DNS entries alone, but installs several
proxies and tries to redirect all traffic through those. DNS appears to
work fine, as I threw a second computer into the network with a packet
sniffer. But when you request a page, that traffic gets sent to the
proxy, which then adds in the pop-up windows and who knows what else.
My best advice to see what is happening is a packet sniffer on a second
computer. If it is a virus, the computer will send a DNS request, get
back an address for the website, and then send packets to the proxy at a
third address. If the packets go to a DNS server that is not the one you
think it should be, also a virus. If neither of those, then you can sort
out which DNS is junk; on the computer, the router, the ISP, or worse.
If both the PCs with the problem are running Windows, I would be looking
at something like the Opachki virus, not DNS poisoning. Specifically
because your computer has not experienced it, if it is on the same
network as your wife's.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Sabrina Kilian wrote:
> I have seen this behavior with viruses, the annoying Vundo strain in
> particular. It leaves the DNS entries alone, but installs several
> proxies and tries to redirect all traffic through those. DNS appears to
> work fine, as I threw a second computer into the network with a packet
> sniffer. But when you request a page, that traffic gets sent to the
> proxy, which then adds in the pop-up windows and who knows what else.
>
> My best advice to see what is happening is a packet sniffer on a second
> computer. If it is a virus, the computer will send a DNS request, get
> back an address for the website, and then send packets to the proxy at a
> third address. If the packets go to a DNS server that is not the one you
> think it should be, also a virus. If neither of those, then you can sort
> out which DNS is junk; on the computer, the router, the ISP, or worse.
>
> If both the PCs with the problem are running Windows, I would be looking
> at something like the Opachki virus, not DNS poisoning. Specifically
> because your computer has not experienced it, if it is on the same
> network as your wife's.
Neither of those... Virus scanners & Adaware on both computers comes up
empty ... Hmmm.
--
~Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |