1.08.2008

I've been getting quite a few follow-ups to my reports of the Earthlink DNS poisoning. I got a couple of emails from technicians working the issues, both of which found the blog not from my reports to the abuse departments, but from this blog. Kudos to google for making the world's data searchable!

I also got a comment from another user who is still having issues. His comment is here.

1.02.2008

Looks like Earthlink has it fixed now. I wonder if they will let people know they were hacked and should scan their computers. That would be the responsible thing to do.
Ok, since I haven't gotten any responses from the Earthlink security folks, I decided to call the phone number listed via the WHOIS lookup on earthlink's DNS IP. I get the operator who tells me that "The Abuse Department is a voicemail line only, and it is broken right now." Wow.

She passes me to tech support. An Indian lady answers the phone and starts telling me what websites I can go to. I explained to her that I am trying to do her a favor and tell them about a hack that could be affecting thousands of their customers, and was not interested in looking up other websites and doing more work for them.

She had no idea what I was talking about. All she said was thanks for reporting it, and started trying to talk to me about why people do things like this. My god. Earthlink appears to be doing things all wrong.

Who knows what else is being spoofed from their DNS... banks... email login pages... and geez, google-analytics!!! I mean, think about how many websites use that service!
Looks like the Earthlink DNS servers I am on got hacked. I noticed any site I went to, including mine, that uses Google Analytics was giving me a message to install some bogus Active-X control that claimed to be from Microsoft.

Looking into it further, it looks like the DNS for "www.google-analytics.com" is resolving to some bogus Chinese domain, which is serving up a severely hacked version of the urchin javascript file that the real service normally serves. This effectively allows the code to run on every Earthlink customers machine if they visit any site that uses the Google Analytics service.

My primary Earthlink nameserver is "207.217.126.81". Doing a dig on the DNS entry reports back a bogus IP:

ANSWER SECTION:rn www.google-analytics.com. 282 IN CNAME www-google-analytics.l.google.com.rn www-google-analytics.l.google.com. 222600 IN A 74.86.119.87


That IP address is bogus. A dig -x on it reports:

; <<>> DiG 9.2.4 <<>> -x 74.86.119.87
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1476
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;87.119.86.74.in-addr.arpa. IN PTR

;; ANSWER SECTION:
87.119.86.74.in-addr.arpa. 80872 IN PTR nuo.cn.

Nice... "nuo.cn". I sent an email to the Earthlink abuse team and also to Google security. Hopefully it gets fixed.

1.01.2008

After whining about bad and horrible business, like Comcast, or Frys, I thought I might write about some of the great businesses that get it right.

A phone call to ING Direct was so refreshing. The person on the phone was very nice and a great help. I love giving them my business. Why can't all customer service be like this???

All of my phone calls to Ameritrade have been good experiences. Even Christian was impressed with their service.

There is a local Italian ice-cream shop called Piccomolo that is run really well, and has wonderful ice-cream. We love going there. It is always clean and well run. The people are always friendly to their customers. The owner goes out of his way to make kids feel welcome. Today, we dropped by, and the owners were cleaning it up, but were closed for New Year's. As we turned around to leave, the owner ran outside and yelled "Let me just fix you one small cup of birthday cake!" Neo was very grateful. He wouldn't let me pay for it either. He rubbed Neo on the head and said "This is a New Year's present. Happy New Year!" I like patronizing businesses like that. I encourage all of you to go there as well if you are in the area.