OT a DNS/phishing puzzle
TIV
gtivey at sbcglobal.net
Thu Feb 24 21:14:24 PST 2005
walt wrote:
I'm only posting this here because this audience is the most
sophisticated group I know, and this incident worries me a lot.
I'm accustomed to phishing emails by now, but this particular
one made me nervous, because I don't understand how DNS works.
The phishing email wanted me to click on this URL:
http://logon.personal.wamu2u.com:880/login/index.php
Okay, so I do a 'whois wamu2u.com' and get this response:
Domain Name : wamu2u.com
::Registrant::
Name : Constance Edwards
Email : edwards at xxxxxxxxxxx
Address : 1094 SE St Patricks Court, Port Orchard, WA
Zipcode : 98367
Nation : US
Okay, this much seems very reassuring.
The part that worries me is when I do an nslookup on the URL
(logon.personal.wamu2u.com) I get an IP address in China.
Anyone here understand DNS stuff well enough to explain how
this happens?
Can anyone else reproduce the results I've listed above?
Hi there ---
By all usual means, it appears that the IP assigned to the host
you're being
directed to is in China and belongs to cnmobile.net. Whois records are
obviously
questionable in this case.
Traceroute: (checK the latency!)
. ...15 dtag-asn3320.eqabva.sbcglobal.net (151.164.248.34) 73.912 ms
34.289 ms 34.982ms
16 217.239.40.129 (217.239.40.129) 236.619 ms 237.468 ms 237.433 ms
17 62.159.199.166 (62.159.199.166) 672.746 ms * 657.978 ms
18 218.200.252.129 (218.200.252.129) 654.917 ms 642.678 ms 646.222 ms
19 218.200.252.73 (218.200.252.73) 676.671 ms 628.625 ms 632.641 ms
20 218.200.251.41 (218.200.251.41) 585.209 ms 580.126 ms 585.92 ms
21 218.200.251.110 (218.200.251.110) 626.871 ms 633.593 ms 643.297 ms
22 218.200.254.194 (218.200.254.194) 628.554 ms 649.90 ms 639.832 ms
23 211.138.46.2 (211.138.46.2) 626.844 ms 649.187 ms 658.232 ms
24 211.138.46.50 (211.138.46.50) 661.846 ms 652.726 ms 637.384 ms
25 218.202.196.246 (218.202.196.246) 633.740 ms 625.474 ms 638.583 ms
26 218.202.196.149 (218.202.196.149) 648.28 ms * 628.769 ms
targa# dig -x 218.202.254.194
; <<>> DiG 9.2.4rc4 <<>> -x 218.202.254.194
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7249
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;194.254.202.218.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
202.218.in-addr.arpa. 3600 IN SOA ns.cnmobile.net.
root.ns.cnmobile.net. 2004041401 3600 1800 604800 3600
;; Query time: 695 msec
;; SERVER: xx.x.xx.x#53(xx.x.xx.x)
;; WHEN: Fri Feb 25 04:41:37 2005
;; MSG SIZE rcvd: 102
targa# host logon.personal.wamu2u.com
logon.personal.wamu2u.com has address 218.202.196.149
targa# host 218.202.196.149
Host 149.196.202.218.in-addr.arpa not found: 3(NXDOMAIN)
Definite HiJinx goin on here ... possible namecache poisoning? no
reverse lookup?
Your Whois --- ISN'T
targa# whois 218.202.254.194
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 218.0.0.0 - 218.255.255.255
CIDR: 218.0.0.0/8
NetName: APNIC4
NetHandle: NET-218-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: TINNIE.ARIN.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 2000-12-07
Updated: 2004-03-30
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin at xxxxxxxxx
# ARIN WHOIS database, last updated 2005-02-24 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 218.200.0.0 - 218.207.255.255
netname: CMNET
descr: China Mobile Communications Corporation
descr: Mobile Communications Network Operator in China
descr: Internet Service Provider in China
country: CN
admin-c: JS686-AP
tech-c: CW265-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CN-CMCC
remarks: ------------------------------
remarks: Please send abuse e-mail to
remarks: abuse at xxxxxxxxxxxxxxx
remarks: Please send probe e-mail to
remarks: security at xxxxxxxxxxxxxxx
remarks: -------------------------------
changed: hostmaster at xxxxxxxxx 20011106
changed: hm-changed at xxxxxxxxx 20030923
status: ALLOCATED PORTABLE
source: APNIC
person: Jinxia Sun
address: China Mobile Communications Corporation
address: 29, Jinrong Ave., Xicheng District, Beijing, 100032
country: CN
phone: +86-10-66006688-1755
fax-no: +86-10-66006012
e-mail: sunjinxia at xxxxxxxxxxxxxxx
nic-hdl: JS686-AP
remarks: ------------------------------
remarks: Please send abuse e-mail to
remarks: abuse at xxxxxxxxxxxxxxx
remarks: Please send probe e-mail to
remarks: security at xxxxxxxxxxxxxxx
remarks: -------------------------------
mnt-by: MAINT-CN-CMCC
changed: hostmaster at xxxxxxxxxxxxxxx 20030130
source: APNIC
person: chenguang wei
nic-hdl: CW265-AP
e-mail: weichenguang at xxxxxxxxxxxxxxx
address: 29,Jinrong Ave., Xicheng District, Beijing,
address: 100032 China
phone: +86 10 66006688-1306
fax-no: +86 10 66006187
country: CN
remarks: ------------------------------
remarks: Please send abuse e-mail to
remarks: abuse at xxxxxxxxxxxxxxx
remarks: Please send probe e-mail to
remarks: security at xxxxxxxxxxxxxxx
remarks: -------------------------------
changed: hostmaster at xxxxxxxxxxxxxxx 20030122
mnt-by: MAINT-CN-CMCC
source: APNIC
Probably more than you wanted to know --- but I't doesn't hurt to be
careful ;-).
Best regards,
Tiv
More information about the Users
mailing list