[Novalug] could this also relate to the dns hijacked problem I had this weekend? Re: Mailing list IP address blacklisted
Don E. Groves, Jr.
dgrovesjr@gmail.com
Thu Jul 10 16:12:45 EDT 2014
Well I like to live a little dangerously, so I went to a "Who is addy" on
the internet and tried the first IP:
http://www.networksolutions.com/whois/results.jsp?ip=104.131.237.53
And they replied with:
WHOIS Results
You Searched for: 104.131.237.53
104.131.237.53
Record Type: IP Address
NetRange: 104.131.0.0 - 104.131.255.255
CIDR: 104.131.0.0/16
OriginAS: AS393406, AS14061, AS62567, AS46652
NetName: DIGITALOCEAN-9
NetHandle: NET-104-131-0-0-1
Parent: NET-104-0-0-0-0
NetType: Direct Allocation
RegDate: 2014-06-02
Updated: 2014-06-02
Ref: http://whois.arin.net/rest/net/NET-104-131-0-0-1
OrgName: Digital Ocean, Inc.
OrgId: DO-13
Address: 270 Lafayette St
Address: Suite 1105
City: New York
StateProv: NY
PostalCode: 10012
Country: US
RegDate: 2012-05-14
Updated: 2013-12-12
Ref: http://whois.arin.net/rest/org/DO-13
OrgAbuseHandle: URETS-ARIN
OrgAbuseName: Uretsky, Ben
OrgAbusePhone: +1-646-397-8051
OrgAbuseEmail: abuse@digitalocean.com
OrgAbuseRef: http://whois.arin.net/rest/poc/URETS-ARIN
OrgTechHandle: URETS-ARIN
OrgTechName: Uretsky, Ben
OrgTechPhone: +1-646-397-8051
OrgTechEmail: abuse@digitalocean.com
OrgTechRef: http://whois.arin.net/rest/poc/URETS-ARIN
The scary part is "OrgName: Digital Ocean, Inc."
Isn't that a "hosting provider"?
When I did 162.243.157.142 I got almost the same thing.
Also went to another who is site
<http://whois.arin.net/rest/net/NET-162-243-0-0-1/pft> and got the same
basic results.
On Thu, Jul 10, 2014 at 10:31 AM, Beartooth <beartooth@beartooth.info>
wrote:
> On Wed, 9 Jul 2014, Bonnie Dalzell wrote:
>
> > apparently in the last month a malware has emerged which
> > hijackes older rounters and insterts hijacked dns servers as
> > the dns ip.
> >
> > i just finished speaking with our isp (qis.net) and they told
> > me this happened to our older router. so now they changed some
> > setting so that no external agent can reset the dns server ip.
> > only us locally logging in and qis.net remotely logging in.
>
> So does this mean the rest of us need to tweak our
> routers, or try to talk to our ISPs? Does the malware have a
> name?
>
> > The hacked hijacked ip address were:
> >
> > Primary DNS Server: 104.131.237.53
> > Secondary DNS Server: 162.243.157.142
> >
> > while they should have been qis' dns ip:
> >
> > Primary DNS Server: 209.150.96.20
> > Secondary DNS Server: 209.150.96.21
> >
> > which is what they are now.
>
> Somehow I just don't quite think I ought to go try whois
> on those first two. Anybody know what they are/were? Who the
> malfeasor was??
>
> --
> Beartooth Curmudgeon, Sciuricidal Staffwright
> No teratobibliotic entity dare avow MY emanations.
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
>
--
--
Don E. Groves, Jr.
Tag it's your turn now... ... ....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20140710/311d2fb0/attachment.htm>
More information about the Novalug
mailing list