Tuesday, December 25, 2007

Christmas Gift

Merry Christmas to everyone!

Thanks to my friend KMChow who has accidentally found this interesting joke and I would like to share to everyone here.

shell>whois microsoft.com

Server Name: MICROSOFT.COM.ZZZZZZ.MORE.DETAILS.AT.WWW.BEYONDWHOIS.COM
IP Address: 203.36.226.2
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net

Server Name: MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
IP Address: 69.41.185.194
Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM
Whois Server: whois.itsyourdomain.com
Referral URL: http://www.itsyourdomain.com

Server Name: MICROSOFT.COM.ZZZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
IP Address: 217.107.217.167
Registrar: ONLINENIC, INC.
Whois Server: whois.35.com
Referral URL: http://www.OnlineNIC.com

Server Name:
MICROSOFT.COM.ZZZ.IS.0WNED.AND.HAX0RED.BY.SUB7.NET
IP Address: 207.44.240.96
Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM
Whois Server: whois.itsyourdomain.com
Referral URL: http://www.itsyourdomain.com

Server Name: MICROSOFT.COM.WILL.LIVE.FOREVER.BECOUSE.UNIXSUCKS.COM
IP Address: 185.3.4.7
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com

Server Name:
MICROSOFT.COM.WILL.BE.SLAPPED.IN.THE.FACE.BY.MY.BLUE.VEINED.SPANNER.NET
IP Address: 216.127.80.46
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net

Server Name:
MICROSOFT.COM.WILL.BE.BEATEN.WITH.MY.SPANNER.NET
IP Address: 216.127.80.46
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net

Server Name:
MICROSOFT.COM.WAREZ.AT.TOPLIST.GULLI.COM
IP Address: 80.190.192.33
Registrar: KEY-SYSTEMS GMBH
Whois Server: whois.rrpproxy.net
Referral URL: http://www.key-systems.net

Server Name:
MICROSOFT.COM.USERS.SHOULD.HOST.WITH.UNIX.AT.ITSHOSTED.COM
IP Address: 74.52.88.132
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com

Server Name:
MICROSOFT.COM.TOTALLY.SUCKS.S3U.NET
IP Address: 207.208.13.22
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com

Server Name:
MICROSOFT.COM.SOFTWARE.IS.NOT.USED.AT.REG.RU
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com

Server Name:
MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM
IP Address: 65.160.248.13
Registrar: GKG.NET, INC.
Whois Server: whois.gkg.net
Referral URL: http://www.gkg.net

Server Name:
MICROSOFT.COM.RAWKZ.MUH.WERLD.MENTALFLOSS.CA
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net

Server Name:
MICROSOFT.COM.OHMYGODITBURNS.COM
IP Address: 216.158.63.6
Registrar: DOTSTER, INC.
Whois Server: whois.dotster.com
Referral URL: http://www.dotster.com

Server Name:
MICROSOFT.COM.LOVES.ME.KOSMAL.NET
IP Address: 65.75.198.123
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com

Server Name:
MICROSOFT.COM.IS.NOT.YEPPA.ORG
Registrar: OVH
Whois Server: whois.ovh.com
Referral URL: http://www.ovh.com

Server Name:
MICROSOFT.COM.IS.IN.BED.WITH.CURTYV.COM
IP Address: 216.55.187.193
Registrar: ABACUS AMERICA, INC. DBA NAMES4EVER
Whois Server: whois.names4ever.com
Referral URL: http://www.names4ever.com

Server Name:
MICROSOFT.COM.IS.HOSTED.ON.PROFITHOSTING.NET
IP Address: 66.49.213.213
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com

Server Name: MICROSOFT.COM.IS.GOD.BECOUSE.UNIXSUCKS.COM
IP Address: 161.16.56.24
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com

Server Name:
MICROSOFT.COM.IS.A.STEAMING.HEAP.OF.FUCKING-BULLSHIT.NET
IP Address: 63.99.165.11
Registrar: THE NAME IT CORPORATION DBA NAMESERVICES.NET
Whois Server: whois.aitdomains.com
Referral URL: http://www.aitdomains.com

Truncated output .....

The output is much longer. Wait, don't be happy yet if you are windows hater! Check out more information below.

- Baidu.com
- Blogger.com
- Google.com
- Msn.com
- Yahoo.com

At first, I don't really look at the output and compare them, I was wondering which is the default whois server I query by looking at the dns traffic, tracing down the wire is always easy -

2007-12-26 01:54:07.173250 IP (tos 0x0, ttl 64, id 57639, offset 0, flags [DF], proto UDP (17), length 62) 192.168.0.102.32930 > 192.168.0.115.53: [udp sum ok] 50526+ A? whois.crsnic.net. (34)
2007-12-26 01:54:07.836447 IP (tos 0x0, ttl 249, id 19808, offset 0, flags [DF], proto UDP (17), length 265) 192.168.0.115.53 > 192.168.0.102.32930: 50526 q: A? whois.crsnic.net. 1/5/5 whois.crsnic.net. A 199.7.59.74 ns: whois.crsnic.net.[|domain]

Lets do it again this time -

shell>whois -h whois.crsnic.net google

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.

Aborting search 50 records found .....
GOOGLE.ES
GOOGLE.EGEBILTEK.NET
GOOGLE.EARTH.ORDERBOX-DNS.COM
GOOGLE.DONSVENDING.COM
GOOGLE.DMINDESIGNS.COM
GOOGLE.DIPSTUDIO.NET
GOOGLE.DE
GOOGLE.CYNK-DESIGN.COM
GOOGLE.CYGRATIS.BE
GOOGLE.CRMPOD.COM
GOOGLE.CONSULTVERVE.COM
GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
GOOGLE.COM.WORDT.DOOR.VEEL.WHTERS.GEBRUIKT.SERVERTJE.NET
GOOGLE.COM.VN
GOOGLE.COM.UA
GOOGLE.COM.TW
GOOGLE.COM.TR
GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM
GOOGLE.COM.SPROSIUYANDEKSA.RU
GOOGLE.COM.SERVES.PR0N.FOR.ALLIYAH.NET
GOOGLE.COM.SA
GOOGLE.COM.PLZ.GIVE.A.PR8.TO.AUDIOTRACKER.NET
GOOGLE.COM.MX
GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
GOOGLE.COM.IS.HOSTED.ON.PROFITHOSTING.NET
GOOGLE.COM.IS.APPROVED.BY.NUMEA.COM
GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE.THAN.SECZY.COM
GOOGLE.COM.DO
GOOGLE.COM.CO
GOOGLE.COM.BR
GOOGLE.COM.BEYONDWHOIS.COM
GOOGLE.COM.AU
GOOGLE.COM.ACQUIRED.BY.CALITEC.NET
GOOGLE.CO.UK
GOOGLE.CO.TH
GOOGLE.CO.JP
GOOGLE.CO.ID
GOOGLE.CL
GOOGLE.CHENNAIEXPRESS.COM
GOOGLE.CH
GOOGLE.CA
GOOGLE.BIGMING.COM
GOOGLE.BEYONDWHOIS.COM
GOOGLE.ATHL.CX
GOOGLE.ALBERTZAKHIA.COM
GOOGLE.ADRIANP.NET
GOOGLE.51-HELP.COM
GOOGLE.NET
GOOGLE.COM

The whois server is hacked? I don't think so.

Lets dig further on one of record -

shell> ping \ MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
PING MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM (69.41.185.194) 56(84) bytes of data.
64 bytes from 69.41.185.194: icmp_seq=1 ttl=47 time=337 ms

shell>dig \ MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM


; <<>> DiG 9.4.1-P1 <<>> MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37942 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM. IN A ;; ANSWER SECTION: MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM. 86364 IN A 69.41.185.194

;; AUTHORITY SECTION:
SWINGINGCOMMUNITY.COM. 86364 IN NS ns2.0-id.COM.
SWINGINGCOMMUNITY.COM. 86364 IN NS ns1.0-id.COM.

;; Query time: 156 msec
;; SERVER: 202.188.0.133#53(202.188.0.133)
;; WHEN: Wed Dec 26 01:30:37 2007
;; MSG SIZE rcvd: 132

Now I do another dig on baidu -

shell>dig \ BAIDU.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM

; <<>> DiG 9.4.1-P1 <<>> BAIDU.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49011 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;BAIDU.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM. IN A ;; ANSWER SECTION: BAIDU.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM. 86400 IN A 69.41.185.194

;; Query time: 364 msec
;; SERVER: 202.188.0.133#53(202.188.0.133)
;; WHEN: Wed Dec 26 01:40:20 2007
;; MSG SIZE rcvd: 87

Check out the A record and you will get what I mean, both of them has the same IP address, in fact if you have already noticed it -

shell>ping www.swingingcommunity.com
PING www.swingingcommunity.com (69.41.185.194) 56(84) bytes of data.
64 bytes from 69.41.185.194: icmp_seq=1 ttl=47 time=253 ms

Feel free to visit www.swingingcommunity.com. You can visit others too -

- seczy.com
- joker.com
- www.web-hack.com
- gulli.com
- etc

This is really subdomain thing, while the malicious users can make use of this for nefarious purpose, I think this could be Christmas gift. In fact I found this post when googling -

http://www.webmasterworld.com/domain_names/3025569.htm

That was back 2003.

I think the corresponded registrars should take action now to wipe the invalid information and if there's compromised, that should be the dns(it can be http because these days a lot of hosting companies provide web management interface to edit the dns information(I'm lazy to verify all these, it's Christmas!). But looking at those domains(some of them) which look malicious and cryptic, I'm wondering if they are really doing this for fun or to support other operations such as ad spam.

I think the hackers should check out the quote in HeX 1.0.2 wallpaper -


Anyway I'm not too sured if this is Santa's job ..... ho ho ho

Peace o<(;[>

No comments: