Some French people are reporting without understanding what it is all about something almost as old as ICANN is: when you do a whois lookup on microsoft.com (for example) you get tons of unexpected replies… Reporting without knowledge (and without digging at least a bit about this) is like asking for a geek to slap his blog in your face.
This article will be a bit blunt, but that’s for your own good (next time try to at least search a bit on google/etc before saying whois servers were hacked).
Typical whois reply will look like:
Server Name: MICROSOFT.COM.ZZZZZZ.MORE.DETAILS.AT.WWW.BEYONDWHOIS.COM Server Name: MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM Server Name: MICROSOFT.COM.ZZZZZ.DOWNLOAD.MOVIE.ONLINE.ZML2.COM Server Name: MICROSOFT.COM.ZZZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM Server Name: MICROSOFT.COM.ZZZ.IS.0WNED.AND.HAX0RED.BY.SUB7.NET Server Name: MICROSOFT.COM.WILL.LIVE.FOREVER.BECOUSE.UNIXSUCKS.COM Server Name: MICROSOFT.COM.WILL.BE.SLAPPED.IN.THE.FACE.BY.MY.BLUE.VEINED.SPANNER.NET
Of course it might looks like the whois server was hacked, that’s what people with bad knowledge of internet would think (hint: almost everything is explained in RFCs).
When you perform a whois lookup, the whois server will usually search domains and return you informations about the domain you requested. However on internet you also have Glue Records which are searchable via whois.
When you perform a whois on, let’s say “microsoft.com”, the whois server will search all records that starts with microsoft.com. Now let’s say the owner of spanner.net created a glue record on microsoft.com.will.be.slapped.in.the.face.by.my.blue.veined.spanner.net, it will match.
Now lots of people did that, so whois records are full of glue records starting with microsoft.com. The only way to limit that is to code a limit in ICANN whois server. So it was decided that only 25 expanded or 50 name-only records would be shown. What happens to the real domain name? It’s also listed as one of the records, usually at the end.
So, nothing was hacked, no whois server was harmed, you just got a bunch of people who are exploiting a specific behaviour of the whois system to make their glue records get listed before the real domains. If you want to appear in microsoft.com you can create a glue record which would look like: microsoft.com.zzzzzzzzzz.uh.did.you.wake.me.up.from.my.sleepdeprivation.com.
Have fun posting stuff on your blog, but stop saying whois servers were hacked when they were not. Anyone who owns a domain name can create glue records, no hacking skills are required to achieve this. You are giving too much credit to guys who just pressed a few options in their registrar’s admin panel (and remember that you can be easily tracked back too). That’s far from what I would call “hacking”, and even not at the “script kiddie” level.
Oh and guyz, it’s been like this for a long time (first time I saw that there was only one record, it was in something like 1998. In the following years more and more records were added to finally reach today’s state). Remember to always verify your sources, even when you got breaking news like “microsoft.com was hacked”.
Finally, I find it amusing to see someone with a MacOS X machine called “bofh” and a green terminal (yay! old school) “discovering” a hack and feeling the urge to report it (and show his green terminal to the world, too). Mac OS X is not a hacker OS, and Apple’s whois client sucks – recent whois client add options to either only receive domain responses, or get expanded responses. Please use a real OS (FreeBSD, Linux Gentoo) or make your own.
Some of my favourite records from a LONG time ago:
MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM MICROSOFT.COM.SE.FAIT.HAX0RIZER.PAR.TOUT.LE.ZOY.ORG MICROSOFT.COM.N-AIME.BILL.QUE.QUAND.IL.N-EST.PAS.NU MICROSOFT.COM.MUST.STOP.TAKEDRUGS.ORG MICROSOFT.COM.IS.NOTHING.BUT.A.MONSTER.ORG MICROSOFT.COM.IS.AT.THE.MERCY.OF.DETRIMENT.ORG MICROSOFT.COM.FAIT.VRAIMENT.DES.LOGICIELS.A.TROIS.FRANCS.DOUZE.ORG MICROSOFT.COM.WILL.CRASH.IN.6MN.ORG MICROSOFT.COM.IS.A.STEAMING.HEAP.OF.FUCKING-BULLSHIT.NET
#1 by Ookami on 2009/08/14 - 08:52
Quote
Sympas, j’aurais appris quelque chose. =]
Espece de vil trolleur. Il y’a pas longtemps tu pouvais meme pas matter du flash sous FreeBSD.
Trackback: Lezard Spock
#2 by LezardSpock on 2009/08/14 - 16:52
Quote
Je t’en veux pas, t’as raison donc j’ai pas d’arguments pour lutter. J’aurais du prendre le temps de vérifier l’information avant de la publier. Merci pour la petite claque
Et en fait je m’en fou j’ai un mail en 7 caractères <3
#3 by Precea on 2009/08/14 - 17:52
Quote
Vraiment sympa !
On en apprend beaucoup avec toi :p
Par contre MacOS est un vrai OS aussi, et le terminal vert c’est le seul qui pique pas les yeux ^^
MICROSOFT.COM.FAIT.VRAIMENT.DES.LOGICIELS.A.TROIS.FRANCS.DOUZE.ORG
#4 by akrus on 2009/08/14 - 22:07
Quote
Lol! Never knew about that xD
#5 by s3phy on 2009/08/15 - 07:42
Quote
This is as old as the internet, like you say in the article.
I’m getting pissed at the so called news sources putting up stories for stuff like that lately… Here in Québec, a few weeks ago, a youtube video featuring a 8 years old boy driving on a open road made news (paper and TV!) headlines… until people discovered the next day the video was several years old.
On the more geek side, *ALL* news talked about the recent attack against twitter as a hack or even as a breach… “Twitter a été piraté”, etc. Sad to see people who are supposed to inform you can’t see the difference between a pirated and an attacked site…
Pingback: Google,Microsoft, Apple, Yahoo [...] victimes d’un DNS spamming
#6 by Mr Xhark on 2009/08/17 - 00:44
Quote
La correction de langage est faite : http://blogmotion.fr/internet/securite/googlemicrosoft-apple-yahoo-victimes-dun-dns-spamming-3807
#7 by Amit Lele on 2010/05/03 - 15:17
Quote
why microsoft, google or yahoo whose whois records are dns spammed, DONT do anything about it???