View Single Post
Old 03-25-2015, 03:59 AM  
owahfxp
Junior Member
 
Join Date: Sep 2014
Posts: 3
Default

i used several different dns in this test, amongst them google dns.

if you look at the situation right now, every dns server points to the same IP as the website's

Code:
; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29985
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;liveupdate.flashfxp.com.       IN      A

;; ANSWER SECTION:
liveupdate.flashfxp.com. 296    IN      A       96.30.5.209

;; Query time: 17 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 25 09:57:27 CET 2015
;; MSG SIZE  rcvd: 68
that said, i started disassembling the malware which was pushed via this hack and it looks very amateurish to me, i hardly believe that this was a targeted dns poison.
owahfxp is offline