<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC]



--On Wednesday, November 21, 2007 21:45:35 +1100 XSS Worm XSS Security Information Portal <cross-site-scripting-security@xxxxxxxxxxx> wrote:

In the case of Yahoo, security firm Finjan said hackers exploited an
unused IP address within Yahoo's hierarchy and used that as the domain
address behind a forged Google Analytics domain name. This fooled the
Finjan Web-filtering product into believing a person was going to a
highly trusted Yahoo domain. The victims, customers of Finjan, never knew
they were on a malicious Web site, and neither did the security
mechanisms on the network. (In this case, Finjan's Web-filtering
product.)

"They managed to resolve the domain name to an IP address owned by Yahoo.
How they added an address into a DNS server to appear to be an IP address
owned by Yahoo is unknown ," Yuval Ben-Itzhak, CTO of Finjan, told
InternetNews.com. He added that Yahoo, while responsive and quick to shut
down the compromised address, did not disclose exactly what equipment was
behind the compromised IP address.

If Yahoo was able to fix the problem quickly, then it would appear that Yahoo had a compromised domain server or servers.

--
Paul Schmehl (pauls@xxxxxxxxxxxx)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/