Time Flies – BIND, CentOS4 and Spammers

Its been over a month since I have been able to take a moment and say hello to my blog.  After my own time off, my colleagues have dared to take their own time off and I am stuck with extra work while they are gone.  What goes around, comes around, I guess.

 

In the meantime, the only work I have been able to do around here is moderate spammy comments to the trashbin.  Viagra, Online Loans, Escort services, they all seem to come over here with their bots and spam my admin panel with bogus comments with links back to their crap…

 

 

One thing I guess they are trying to exploit are the WordPress pingbacks.  Much to my annoyance since I really don’t mind speaking out loud to nobody on this blog, its crappy to have bots polluting my space with their spam.   I might try a WordPress CAPTCHA plugin of some sort, was too lazy to look for one since I didn’t figure I needed one….little did I know!

 

In any case, as time goes on, people still (*shiver*) running RHEL4/CentOS4 systems are getting more and more vulnerabilities.  CVE-2012-1823 being the first reasonably big bug that will go unpatched with RHEL4/CentOS4, and now BIND has announced CVE-2012-1667, a rather nasty one that apparently can in some cases expose system memory (!!!).  RHEL4 and clones shiiped with BIND 9.2, and it is of course vulnerable.  Thankfully systems I manage have been moved past EL4, however I do have a server or two that is still yet to be replaced.  I came across a blog that had shown promise of a rebuild of BIND 9.7.3 (which ships with CentOS 6.2 I believe), yet I was never able to get the .src.rpm for that.  I ended up building my own.  Its based on Fedora Linux’s FC14 9.7.4 RPM, with the 9.7.6_P1 source from ISC.ORG.  You can download my .src.rpm here.  I have tested it happily for a few weeks now, your mileage may vary.  Rebuild at your own risk! 🙂  I have it running on a mail server for DNS caching as well as a reasonably busy authoritative server and so far, no issues at all.    At least now RHEL4/CentOS4 can have allow-recursion { acl; } in named.conf!!! (yay)

Anyway, if you do download the source and compile it, let me know your results.

 

Facebook starts to publish AAAA ahead of June 6th 2012 – Like!

I don’t know if this is a late night test, however apparently Facebook is publishing (I am guessing deliberately) a AAAA via DNS, even for “non-whitelisted” resolvers…

 

They had announced in April that they would enable AAAA for “beta.facebook.com” for May 18th, yet the plan at that time was to enable AAAA on the www. on June 6th like everyone else.  However dig currently has results that push forward that deadline:

 

dig -t AAAA @8.8.8.8 www.facebook.com

; <<>> DiG 9.3.2 <<>> -t AAAA @8.8.8.8 www.facebook.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13463
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com.              IN      AAAA

;; ANSWER SECTION:
www.facebook.com.       115     IN      AAAA    2a03:2880:10:1f03:face:b00c:0:25

;; Query time: 18 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon May 21 22:53:38 2012
;; MSG SIZE  rcvd: 62

Their initial IP on June 8th 2011 was  [2620:0:1cfe:face:b00c::3] (aka www.v6.facebook.com, and www.facebook.com for the 24 hours of World IPv6 Day 2011) , which is within a /40 out of ARIN space.   beta.facebook.com and www.facebook.com do not have the same IP so I am guessing they are not necessarily the same source.

It also seems they got their own /32, from RIPE?!  Facebook Ireland LTD?  What the….

 whois 2a03:2880:10:8f02:face:b00c:0:25@whois.ripe.net
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '2a03:2880::/32'

inet6num:        2a03:2880::/32
netname:         IE-FACEBOOK-201100822
descr:           Facebook Ireland Ltd
country:         IE
org:             ORG-FIL7-RIPE
admin-c:         RD4299-RIPE
tech-c:          RD4299-RIPE
status:          ALLOCATED-BY-RIR
mnt-by:          RIPE-NCC-HM-MNT
mnt-lower:       fb-neteng
mnt-routes:      fb-neteng
source:          RIPE # Filtered

organisation:    ORG-FIL7-RIPE
org-name:        Facebook Ireland Ltd
org-type:        LIR
address:         Facebook Ireland Ltd Hanover Reach, 5-7 Hanover Quay 2 Dublin Ireland
phone:           +0016505434800
fax-no:          +0016505435325
mnt-ref:         RIPE-NCC-HM-MNT
mnt-ref:         fb-neteng
mnt-by:          RIPE-NCC-HM-MNT
admin-c:         PH4972-RIPE
source:          RIPE # Filtered

role:            RIPE DBM
address:         1601 Willow Rd.
address:         Menlo Park, CA, 94025
admin-c:         PH4972-RIPE
tech-c:          PH4972-RIPE
nic-hdl:         RD4299-RIPE
mnt-by:          fb-neteng
source:          RIPE # Filtered

Maybe they are looking for ways to make news now that their IPO fell flat after the first full day of public trading? Nevertheless, good to see them venture forward!

 

More to read about June 6th 2012 – click the image below