Linkedin DNS Hijack - Update

Published: 2013-06-20
Last Updated: 2013-06-22 02:00:37 UTC
by Johannes Ullrich (Version: 2)
8 comment(s)

Update

It looks like this issue stemmed from a DDoS mitigation [1] gone awry or human error depending upon what source you refer to... [2] 

Orginal

LinkedIn had its DNS "hijacked". There are no details right now, but often this is the result of an attacker compromissing the account used to manage DNS servers.But so far, no details are available so this could be just a simple misconfiguration.

The issue has been resolved, but If LinkedIn is "down" for you, or if it points to a different site, then you should flush your DNS cache.

It does not appear that Linkedin uses DNSSEC (which may not have helped if the registrar account was compromissed). Your best bet to make sure you connect to the correct site is SSL. But of course, "owning" the domain may allow the attacker to create a new certificate rather quickly.

As indicated in a comment below (and some twitter messages), other sites are affected as well. Please add a comment if you find any. The fact that multiple site's NS records are affected implies that this may not be a simple compromissed registrar account.

Current, appearantly accurate, DNS replies for LinkedIn:

 

dig +short A linkedin.com
216.52.242.86

dig +short NS linkedin.com
ns4.p43.dynect.net.
ns4.linkedin.com.
ns3.p43.dynect.net.
ns1.p43.dynect.net.
ns2.p43.dynect.net.
ns1.linkedin.com.
ns3.linkedin.com.
ns5.linkedin.com.
ns6.linkedin.com.
ns2.linkedin.com.
All the NS records point to the same IP address right now: 156.154.69.23.
 
According to http://blog.escanav.com/2013/06/20/dns-hijack/, the bad IP address is 204.11.56.17.
 
For partial passive DNS cache results, see http://www.bfk.de/bfk_dnslogger.html?query=204.11.56.17#result
 
[1] https://www.networksolutions.com/blog/2013/06/important-update-for-network-solutions-customers-experiencing-website-issues/
[2] http://www.confluence-networks.com/
 
 
------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute
Twitter

Keywords: dns linkedin
8 comment(s)

HP iLO3/iLO4 Remote Unauthorized Access with Single-Sign-On

Published: 2013-06-20
Last Updated: 2013-06-20 01:39:36 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

HP released a security bulletin on a potential remote unauthorized access with HP Integrated Lights-Out iLO3/iLO4 using Single-Sign-On.

CVE-2013-2338 has been assigned and the following versions are impacted:

HP Integrated Lights-Out 3 (iLO3) firmware versions prior to v1.57.
HP Integrated Lights-Out 4 (iLO4) firmware versions prior to v1.22.

If you are impacted, HP recommends upgrading as soon as possible. The current version is available here.

[1] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c03787836
[2] http://www.hp.com/go/bizsupport
[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2338

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

0 comment(s)

Comments


Diary Archives