Re: [Full-disclosure] Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC]

[Paul Schmehl <pauls@xxxxxxxxxxxx>]

--On Wednesday, November 21, 2007 21:45:35 +1100 XSS Worm XSS Security 
Information Portal <cross-site-scripting-security@xxxxxxxxxxx> wrote:
> In the case of Yahoo, security firm Finjan said hackers exploited an
> unused IP address within Yahoo's hierarchy and used that as the domain
> address behind a forged Google Analytics domain name. This fooled the
> Finjan Web-filtering product into believing a person was going to a
> highly trusted Yahoo domain. The victims, customers of Finjan, never knew
> they were on a malicious Web site, and neither did the security
> mechanisms on the network. (In this case, Finjan's Web-filtering
> product.)
>
> "They managed to resolve the domain name to an IP address owned by Yahoo.
> How they added an address into a DNS server to appear to be an IP address
> owned by Yahoo is unknown ," Yuval Ben-Itzhak, CTO of Finjan, told
> InternetNews.com. He added that Yahoo, while responsive and quick to shut
> down the compromised address, did not disclose exactly what equipment was
> behind the compromised IP address.
If Yahoo was able to fix the problem quickly, then it would appear that 
Yahoo had a compromised domain server or servers.

--
Paul Schmehl (pauls@xxxxxxxxxxxx)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/