Sean’s Obsessions

Sean Walberg’s blog

Trust a Telco to Be Secure

Updated: Apparently, what happened is that someone registered bell-nexxia.net (as opposed to bellnexxia.net) and then had ARIN change the reverse pointers to the new machines.

1
2
3
4
5
6
7
8
9
10
11
12
13

$ /usr/sbin/traceroute bell.ca
traceroute: Warning: bell.ca has multiple addresses; using 198.235.69.11
traceroute to bell.ca (198.235.69.11), 30 hops max, 38 byte packets
 1  24.76.8.1 (24.76.8.1)  18.182 ms  24.737 ms  29.504 ms
 2  rc2nr-ge3-0-1.wp.shawcable.net (64.59.179.3)  13.917 ms  11.477 ms  9.825 ms
 3  rc1so-pos13-0.cg.shawcable.net (66.163.76.85)  24.159 ms  28.756 ms  28.183 ms
 4  64.230.231.137 (64.230.231.137)  43.666 ms  96.202 ms  31.247 ms
 5  bells-network-has-lots-of-security-holes-to-exploit.bell-nexxia. (206.108.101.137)  26.419 ms  41.213 ms  57.043 ms
 6  bells-network-has-lots-of-security-holes-to-exploit.bell-nexxia. (206.108.97.97)  77.389 ms  152.741 ms  72.578 ms
 7  64.230.242.194 (64.230.242.194)  262.986 ms  147.784 ms  82.894 ms
 8  bells-network-has-lots-of-security-holes-to-exploit.bell-nexxia. (206.108.97.2)  163.480 ms  81.812 ms  83.038 ms
 9  bells-network-has-lots-of-security-holes-to-exploit.bell-nexxia. (206.108.98.246)  91.211 ms  120.517 ms  82.995 ms
10  bells-network-has-lots-of-security-holes-to-exploit.bell-nexxia. (206.108.104.30)  91.331 ms  90.077 ms  105.208 ms

Checking out their name servers:

1
2
3

$ host -t ns 104.108.206.in-addr.arpa
104.108.206.in-addr.arpa name server taz.bell-nexxia.net.
104.108.206.in-addr.arpa name server pluto.bell-nexxia.net.

Taz accepts telnet from anywhere

1
2
3
4
5
6
7
8

$ telnet taz.bell-nexxia.net
Trying 216.113.193.252...
Connected to taz.bell-nexxia.net.
Escape character is '^]'.
^M
FreeBSD/i386 (rotting.deadmime.com) (ttyp2)
login: login:
telnet> close

It appears they are doing web hosting on the same box, too. http requests to the box get prompted for authentication for an admin screen. My money is on someone with a stupid password opened up the box to attack.

Trust a telco to do things the Wrong Way. Just another of the many reasons I don’t trust my provider with my mail or DNS.

Comments

I’m trying something new here. Talk to me on Twitter with the button above, please.