[Novalug] could this also relate to the dns hijacked problem I had this weekend? Re: Mailing list IP address blacklisted

Don E. Groves, Jr. dgrovesjr@gmail.com
Thu Jul 10 16:12:45 EDT 2014


Well I like to live a little dangerously, so I went to a "Who is addy" on
the internet and tried the first IP:
http://www.networksolutions.com/whois/results.jsp?ip=104.131.237.53

And they replied with:

WHOIS Results
You Searched for: 104.131.237.53
104.131.237.53
Record Type: IP Address

NetRange:       104.131.0.0 - 104.131.255.255
CIDR:           104.131.0.0/16
OriginAS:       AS393406, AS14061, AS62567, AS46652
NetName:        DIGITALOCEAN-9
NetHandle:      NET-104-131-0-0-1
Parent:         NET-104-0-0-0-0
NetType:        Direct Allocation
RegDate:        2014-06-02
Updated:        2014-06-02
Ref:            http://whois.arin.net/rest/net/NET-104-131-0-0-1

OrgName:        Digital Ocean, Inc.
OrgId:          DO-13
Address:        270 Lafayette St
Address:        Suite 1105
City:           New York
StateProv:      NY
PostalCode:     10012
Country:        US
RegDate:        2012-05-14
Updated:        2013-12-12
Ref:            http://whois.arin.net/rest/org/DO-13

OrgAbuseHandle: URETS-ARIN
OrgAbuseName:   Uretsky, Ben
OrgAbusePhone:  +1-646-397-8051
OrgAbuseEmail:  abuse@digitalocean.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/URETS-ARIN

OrgTechHandle: URETS-ARIN
OrgTechName:   Uretsky, Ben
OrgTechPhone:  +1-646-397-8051
OrgTechEmail:  abuse@digitalocean.com
OrgTechRef:    http://whois.arin.net/rest/poc/URETS-ARIN

The scary part is "OrgName:        Digital Ocean, Inc."
Isn't that a "hosting provider"?

When I did 162.243.157.142 I got almost the same thing.

Also went to another who is site
<http://whois.arin.net/rest/net/NET-162-243-0-0-1/pft> and got the same
basic results.



On Thu, Jul 10, 2014 at 10:31 AM, Beartooth <beartooth@beartooth.info>
wrote:

> On Wed, 9 Jul 2014, Bonnie Dalzell wrote:
>
> > apparently in the last month a malware has emerged which
> > hijackes older rounters and insterts hijacked dns servers as
> > the dns ip.
> >
> > i just finished speaking with our isp (qis.net) and they told
> > me this happened to our older router. so now they changed some
> > setting so that no external agent can reset the dns server ip.
> > only us locally logging in and qis.net remotely logging in.
>
>         So does this mean the rest of us need to tweak our
> routers, or try to talk to our ISPs? Does the malware have a
> name?
>
> > The hacked hijacked ip address were:
> >
> > Primary DNS Server:   104.131.237.53
> > Secondary DNS Server:         162.243.157.142
> >
> > while they should have been qis' dns ip:
> >
> > Primary DNS Server:   209.150.96.20
> > Secondary DNS Server:         209.150.96.21
> >
> > which is what they are now.
>
>         Somehow I just don't quite think I ought to go try whois
> on those first two. Anybody know what they are/were? Who the
> malfeasor was??
>
> --
> Beartooth Curmudgeon, Sciuricidal Staffwright
> No teratobibliotic entity dare avow MY emanations.
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
>



-- 
--
Don E. Groves, Jr.

Tag it's your turn now... ... ....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20140710/311d2fb0/attachment.htm>


More information about the Novalug mailing list