Looks like the Earthlink DNS servers I am on got hacked. I noticed any site I went to, including mine, that uses Google Analytics was giving me a message to install some bogus Active-X control that claimed to be from Microsoft.

Looking into it further, it looks like the DNS for "www.google-analytics.com" is resolving to some bogus Chinese domain, which is serving up a severely hacked version of the urchin javascript file that the real service normally serves. This effectively allows the code to run on every Earthlink customers machine if they visit any site that uses the Google Analytics service.

My primary Earthlink nameserver is "". Doing a dig on the DNS entry reports back a bogus IP:

ANSWER SECTION:rn www.google-analytics.com. 282 IN CNAME www-google-analytics.l.google.com.rn www-google-analytics.l.google.com. 222600 IN A

That IP address is bogus. A dig -x on it reports:

; <<>> DiG 9.2.4 <<>> -x
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1476
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; ANSWER SECTION: 80872 IN PTR nuo.cn.

Nice... "nuo.cn". I sent an email to the Earthlink abuse team and also to Google security. Hopefully it gets fixed.

No comments: