DNS Exploit in the Wild

[StarsFan4Life]

Originally posted by: iamwiz82

Originally posted by: StarsFan4Life

Originally posted by: iamwiz82

Originally posted by: StarsFan4Life
We tested it here:

Your name server, at 64.129.67.XXX, appears to be safe, but make sure the ports listed below aren't following an obvious pattern

However, this IP is not the DNS server we use. Is this test even legit or correct?

It's testing whatever your DNS is set to, not necessarily the ISP.

Also, regarding your port pattern issue, I had to turn on the scambling functionality on my Checkpoint box.

Well, our DNS is NOT set to the IP above, rather a completely different ip.

The IP above is the public IP that is probably NATed on your firewall. The firewall knows your DNS servers' IPs. Your firewall should also be scrambling the NATed ports.

So this test is legit and correct?

 

[iamwiz82]

Originally posted by: StarsFan4Life

Originally posted by: iamwiz82

Originally posted by: StarsFan4Life

Originally posted by: iamwiz82

Originally posted by: StarsFan4Life
We tested it here:

Your name server, at 64.129.67.XXX, appears to be safe, but make sure the ports listed below aren't following an obvious pattern

However, this IP is not the DNS server we use. Is this test even legit or correct?

It's testing whatever your DNS is set to, not necessarily the ISP.

Also, regarding your port pattern issue, I had to turn on the scambling functionality on my Checkpoint box.

Well, our DNS is NOT set to the IP above, rather a completely different ip.

The IP above is the public IP that is probably NATed on your firewall. The firewall knows your DNS servers' IPs. Your firewall should also be scrambling the NATed ports.

So this test is legit and correct?

Yes. What firewall are you running?

 

[RESmonkey]

Firefox warned me of a DNS name change in a website I was shopping at; said if I didn't trust it, I should hit CANCEL. I did.

^Is that related to any of this? BTW, this happened earlier today. Firefox figured that a redirection to another *similar site* might be unsafe.

 

[StarsFan4Life]

Originally posted by: RESmonkey
Firefox warned me of a DNS name change in a website I was shopping at; said if I didn't trust it, I should hit CANCEL. I did.

^Is that related to any of this? BTW, this happened earlier today. Firefox figured that a redirection to another *similar site* might be unsafe.

What were the websites?

 

[dmcowen674]

This is what I got

================
Your name server, at xxx.xxx.xxx.xxx, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy.

The difference between largest port and smallest port was only 33.

Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.

 

[spidey07]

Originally posted by: RESmonkey
Firefox warned me of a DNS name change in a website I was shopping at; said if I didn't trust it, I should hit CANCEL. I did.

^Is that related to any of this? BTW, this happened earlier today. Firefox figured that a redirection to another *similar site* might be unsafe.

Yes, it's because of this. While your banking sites, paypal, etc are all fine because of SSL, I'd verify/view the certificate on any sites dealing with money/identity.

 

[RESmonkey]

1800 contacts; although my order did go through.

I just switched to OpenDNS. What does this do?

 

[iamwiz82]

Originally posted by: RESmonkey
1800 contacts; although my order did go through.

I just switched to OpenDNS. What does this do?

OpenDNS has patched servers = protection.

 

[RESmonkey]

So did they get my information, or did Firefox stop the redirection when I hit "cancel"?

 

[StarsFan4Life]

Originally posted by: RESmonkey
So did they get my information, or did Firefox stop the redirection when I hit "cancel"?

They got it, your screwed.

Im sure you are just fine.

 

[randay]

so how does one know that doxpara and other testers have not been redirected and giving false hope to teh interwebs users?!?

 

[RESmonkey]

Originally posted by: StarsFan4Life

Originally posted by: RESmonkey
So did they get my information, or did Firefox stop the redirection when I hit "cancel"?

They got it, your screwed.

Im sure you are just fine.

Should I cancel the CC? Or put some sort of hold/freeze on it?

 

[randay]

Originally posted by: RESmonkey

Originally posted by: StarsFan4Life

Originally posted by: RESmonkey
So did they get my information, or did Firefox stop the redirection when I hit "cancel"?

They got it, your screwed.

Im sure you are just fine.

Should I cancel the CC? Or put some sort of hold/freeze on it?

what kind of CC is it?

 

[StarsFan4Life]

Originally posted by: RESmonkey

Originally posted by: StarsFan4Life

Originally posted by: RESmonkey
So did they get my information, or did Firefox stop the redirection when I hit "cancel"?

They got it, your screwed.

Im sure you are just fine.

Should I cancel the CC? Or put some sort of hold/freeze on it?

No way man. You aren't even sure if this an exploit or just a random fault in Firefox.

Anyone else tried http://www.1800contacts.com/?

 

[OdiN]

Originally posted by: StarsFan4Life

Originally posted by: Gooberlx2
Still vulnerable. I wonder if our IT dept even knows about this.

Was this referenced to me?

I sure hope you aren't part of any IT department.

 

[StarsFan4Life]

Originally posted by: OdiN

Originally posted by: StarsFan4Life

Originally posted by: Gooberlx2
Still vulnerable. I wonder if our IT dept even knows about this.

Was this referenced to me?

I sure hope you aren't part of any IT department.

Well I am and don't appreciate these comments. Just because I am part of an IT department, doesn't mean I know everything. I love to learn though.

 

[RESmonkey]

Originally posted by: StarsFan4Life

Originally posted by: RESmonkey

Originally posted by: StarsFan4Life

Originally posted by: RESmonkey
So did they get my information, or did Firefox stop the redirection when I hit "cancel"?

They got it, your screwed.

Im sure you are just fine.

Should I cancel the CC? Or put some sort of hold/freeze on it?

No way man. You aren't even sure if this an exploit or just a random fault in Firefox.

Anyone else tried http://www.1800contacts.com/?

IF there were random uses of CC later on in the future, would one be able to dispute them?

I'm not too confident in think this was an FF error; the DNS error was clearly following the lines of this exploit. I've never had FF tell me anything like that.

 

[StarsFan4Life]

Originally posted by: RESmonkey

Originally posted by: StarsFan4Life

Originally posted by: RESmonkey

Originally posted by: StarsFan4Life

Originally posted by: RESmonkey
So did they get my information, or did Firefox stop the redirection when I hit "cancel"?

They got it, your screwed.

Im sure you are just fine.

Should I cancel the CC? Or put some sort of hold/freeze on it?

No way man. You aren't even sure if this an exploit or just a random fault in Firefox.

Anyone else tried http://www.1800contacts.com/?

IF there were random uses of CC later on in the future, would one be able to dispute them?

I'm not too confident in think this was an FF error; the DNS error was clearly following the lines of this exploit. I've never had FF tell me anything like that.

So how the heck are we going to know for sure? I mean, if the hacker just sets up a website JUST like 1800contacts.com is now, all they have to do is re-direct it and bam, they have your CC info. How can we KNOW for sure if this is happening?

 

[Fern]

Network noob alert!

I've read every post and the links. But I'm still pretty clueless.

I ran the check and I'm not safe.

I know how to change the DNS numbers, but before I do I'd really like it if someone could tell me what that does.

I'm on a small office network (XP) with about 5 PCs hooked up. I don't think I can do anything with the router. My ISP is bellsouth (DSL).

Any info is appreciated.

T.I.A.

Fern

 

[Modelworks]

For the concerned , here is the big deal.
Someone could go to a site like paypal. Save the site, using just cut and paste and screenshots. Then they create a new site using those materials. Re-direct your dns server to their new site and prompt for your login information. You then enter your information, just like you normally would, and you will not know you were just screwed until it is too late.

For now I would double click the padlock that appears with banking, credit, shopping, etc sites and make sure its a valid certificate. At least until everyone is sure all is okay. I would do that even if the test says the servers are okay, because there is a lot of conjecture going on right now about how to get around the latest patches.

Better safe than sorry and it only takes two secs.


This does not protect you on sites that do not use SSL for logins.
Sites like forums, online mail, etc or anything else that ask for info would still be vulnerable. But at least those will not cost you your money.

 

[StarsFan4Life]

Originally posted by: Modelworks
For the concerned , here is the big deal.
Someone could go to a site like paypal. Save a the site, using just cut and paste and screenshots. Then they create a new site using those materials. Re-direct your dns server to their new site and prompt for your login information. You then enter your information, just like you normally would, and you will not know you were just screwed until it is too late.

For now I would double click the padlock that appears with banking, credit, shopping, etc sites and make sure its a valid certificate. At least until everyone is sure all is okay. I would do that even if the test says the servers are okay, because there is a lot of conjecture going on right now about how to get around the latest patches.

Better safe than sorry and it only takes two secs.

So, explain this again?

 

[Modelworks]

Originally posted by: StarsFan4Life

Originally posted by: Modelworks
For the concerned , here is the big deal.
Someone could go to a site like paypal. Save a the site, using just cut and paste and screenshots. Then they create a new site using those materials. Re-direct your dns server to their new site and prompt for your login information. You then enter your information, just like you normally would, and you will not know you were just screwed until it is too late.

For now I would double click the padlock that appears with banking, credit, shopping, etc sites and make sure its a valid certificate. At least until everyone is sure all is okay. I would do that even if the test says the servers are okay, because there is a lot of conjecture going on right now about how to get around the latest patches.

Better safe than sorry and it only takes two secs.

So, explain this again?

What do you not understand ?

 

[StarsFan4Life]

What padlock are you talking about?

 

[spidey07]

modelworks - not every site redirects where you put your username/password into to SSL/encryption. The legitimate site of course encrypts your username/pass and then you go onto the HTTPS page.

That's the real danger because the fake page could just be used to gather username/password, it wouldn't need to use SSL, just regular http.

Now most banking sites with the required new security will be fine because of the two factor authentication but not every site uses it.

 

[RESmonkey]

Originally posted by: StarsFan4Life

Originally posted by: RESmonkey

Originally posted by: StarsFan4Life

Originally posted by: RESmonkey

Originally posted by: StarsFan4Life

Originally posted by: RESmonkey
So did they get my information, or did Firefox stop the redirection when I hit "cancel"?

They got it, your screwed.

Im sure you are just fine.

Should I cancel the CC? Or put some sort of hold/freeze on it?

No way man. You aren't even sure if this an exploit or just a random fault in Firefox.

Anyone else tried http://www.1800contacts.com/?

IF there were random uses of CC later on in the future, would one be able to dispute them?

I'm not too confident in think this was an FF error; the DNS error was clearly following the lines of this exploit. I've never had FF tell me anything like that.

So how the heck are we going to know for sure? I mean, if the hacker just sets up a website JUST like 1800contacts.com is now, all they have to do is re-direct it and bam, they have your CC info. How can we KNOW for sure if this is happening?

I know I went to the correct 1800contacts, and it was fine up until the point where you checkout. Once I hit SUBMIT, hit went to the THANK YOU page, and then FF alerted me on the redirection to a site w/ a diff certificate/DNS something.

And what is this padlock Modelworks speaks of?