[lug] Suspicous: "host"/"DNS" Showing Odd Results (Fedora)

Lee Woodworth blug-mail at duboulder.com
Mon Sep 3 16:38:55 MDT 2018 

It looks like the ip might be near southern california. I also see
muliple PTRs for that address from a dns server in an ip block
apparently owned by comcast.

 From a non-comcast/non-centurylink connection:

$ host -a 69.252.80.75 (using a local dns resolver)
75.80.252.69.in-addr.arpa. 6937 IN      PTR     urlrw01.cable.comcast.com.
75.80.252.69.in-addr.arpa. 6937 IN      PTR     civrightsvoices.com.

$ dig +trace -x 69.252.80.75
75.80.252.69.in-addr.arpa. 7200 IN      PTR     urlrw01.cable.comcast.com.
75.80.252.69.in-addr.arpa. 7200 IN      PTR     civrightsvoices.com.
;; Received 123 bytes from 68.87.68.244#53(dns104.comcast.net) in 56 ms

$ whois 68.87.68.244
NetRange:       68.80.0.0 - 68.87.255.255
CIDR:           68.80.0.0/13
NetName:        JUMPSTART-2
NetHandle:      NET-68-80-0-0-1
Parent:         NET68 (NET-68-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS7922
Organization:   Comcast Cable Communications, LLC (CCCS)
RegDate:        2002-01-28
Updated:        2016-08-31
Ref:            https://rdap.arin.net/registry/ip/68.80.0.0

$ traceroute -I 75.80.252.69
  1  8.36.226.1 (8.36.226.1)  23.740 ms  23.715 ms  23.715 ms
  2  8-1-36.ear3.Denver1.Level3.net (4.14.114.253)  2.619 ms  2.850 ms  3.093 ms
  3  * * *
  4  4.68.72.118 (4.68.72.118)  16.672 ms  16.686 ms  16.682 ms
  5  bu-ether12.tustca4200w-bcr00.tbone.rr.com (66.109.6.0)  45.076 ms  45.115 ms  45.111 ms
  6  66.109.6.203 (66.109.6.203)  50.072 ms  47.566 ms  47.344 ms
  7  agg1.pldscabx02r.socal.rr.com (72.129.37.3)  51.651 ms  53.990 ms  53.978 ms
  8  agg1.indica8102h.socal.rr.com (72.129.38.59)  62.390 ms  67.853 ms  67.791 ms
  9  agg2.indica8101m.socal.rr.com (76.167.16.134)  49.038 ms  49.120 ms  49.198 ms
10  * * *

On 09/03/2018 03:10 PM, stimits at comcast.net wrote:
> Hi,
>   
> I realize the "host" command can show more than one source, but it seems I have a case which is suspicious. While looking for problems of why something was crashing on firefox I added many packages to enable running in gdb and taking a backtrace. It seems SSL had locked up and crashed (fully updated).
>   
> So I've noticed that sometimes when I ping comcast.net I see what I believe is not legitimate:
> 64 bytes from civrightsvoices.com (69.252.80.75): icmp_seq=1 ttl=56 time=13.8 ms
> At other times I see this, which is probably correct:
> 64 bytes from urlrw01.cable.comcast.com (69.252.80.75): icmp_seq=1 ttl=56 time=19.4 ms
> What got more interesting is the "host" command (I do believe 69.252.80.75 is actually comcast):
>> host 69.252.80.7575.80.252.69.in-addr.arpa domain name pointer civrightsvoices.com.75.80.252.69.in-addr.arpa domain name pointer urlrw01.cable.comcast.com.
> When it is purely the one I believe is valid there is no lockup or crash. Sometimes when both show up it seems to be ok, but all firefox lockups only occur under those conditions.
>   
> In the past I checked out what happens when resolv.conf has one of the open DNS servers instead of comcast's, and found performance was terrible. The open DNS server entry was long since deleted and reboot has generated a purely comcast resolv.conf (the entire system and DHCP has been restarted multiple times since then, and so has the cable modem). There is no reason (that I know of) why any other DNS server would be used other than comcast's. Is there something equivalent to a verbose trace of the "host" command to see more details? Would I need to snoop the traffic?
>   
> FYI, the ping and host commands do this with root and other accounts without ever using a web browser (the issue is not confined to web browsers nor user accounts). Just in case, for firefox, I did delete all cache and cookies. I actually did a recursive find of regular files for the entire file system and put them through grep doing a case insensitive search for "civrightsvoices" and nothing showed up from the entire file system. I'm thinking this is something provided from the network source and is not part of my computer (perhaps comcast's DNS was hacked?). I've concluded that it is unlikely anything on my system has been compromised (and I do keep close watch and firewalling).
>   
> Is there something odd when ping and host show two sources for 69.252.80.75? I could see two comcast names or pointers, but so far as I know "civrightsvoices.com" is unrelated to comcast and there should not be two domain pointers from different domains replying to comcast's DNS requests. How would I trace the cause of seeing "civrightsvoices.com" in some DNS queries and ping? Would I need to snoop traffic?
>   
> Thanks!
> 
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>

More information about the LUG mailing list