Kastus wrote:
On Mon, Feb 07, 2005 at 04:00:42PM -0600, Joe Morris (NTM) wrote:
Just for reference, Mozilla 1.7.5 x86_64 [Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20041220] did not pop up a window (error message about not finding www.paypal.com was what happened), so I guess it is NOT vulnerable. --
It could be that your DNS is not resolving the fake www.paypаl.com (the letter before l is not "a") and not that mozilla is not vulnerable.
Here, www.paypаl.com resolves to 198.41.1.35, while real www.paypal.com resolves to 216.113.188.34 216.113.188.64 216.113.188.33 216.113.188.65 216.113.188.66 216.113.188.35
Cut and paste this string into a shell (do not retype it) and see what it returns:
dig www.paypаl.com
For comparison, I am getting this:
; <<>> DiG 9.2.4 <<>> www.paypаl.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58955 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.payp\208\176l.com. IN A
;; ANSWER SECTION: www.payp\208\176l.com. 586 IN A 198.41.1.35
;; Query time: 2 msec ;; SERVER: 172.21.1.126#53(172.21.1.126) ;; WHEN: Mon Feb 7 16:51:15 2005 ;; MSG SIZE rcvd: 49
-Kastus
Well, I think that it definitely wasn't my DNS, as the following will show (first was typed in, 2nd (after rereading your post) is the copy/pasted one. joe@jmorris64:~> dig www.paypal.com ; <<>> DiG 9.3.0 <<>> www.paypal.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7305 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.paypal.com. IN A ;; ANSWER SECTION: www.paypal.com. 366 IN A 216.113.188.32 www.paypal.com. 366 IN A 216.113.188.33 www.paypal.com. 366 IN A 216.113.188.34 www.paypal.com. 366 IN A 216.113.188.35 www.paypal.com. 366 IN A 216.113.188.64 www.paypal.com. 366 IN A 216.113.188.65 www.paypal.com. 366 IN A 216.113.188.66 ;; AUTHORITY SECTION: paypal.com. 1225 IN NS ns1.nix.paypal.com. paypal.com. 1225 IN NS ns1.sc5.paypal.com. paypal.com. 1225 IN NS ns2.nix.paypal.com. paypal.com. 1225 IN NS ns2.sc5.paypal.com. ;; ADDITIONAL SECTION: ns1.nix.paypal.com. 127048 IN A 64.4.240.70 ns1.sc5.paypal.com. 127048 IN A 64.4.244.70 ns2.nix.paypal.com. 127048 IN A 64.4.240.71 ns2.sc5.paypal.com. 127048 IN A 64.4.244.71 ;; Query time: 15 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Feb 7 20:43:59 2005 ;; MSG SIZE rcvd: 288 joe@jmorris64:~> dig www.paypаl.com ; <<>> DiG 9.3.0 <<>> www.paypаl.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26552 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13 ;; QUESTION SECTION: ;www.payp\208\176l.com. IN A ;; ANSWER SECTION: www.payp\208\176l.com. 900 IN A 198.41.1.35 ;; AUTHORITY SECTION: com. 46346 IN NS b.gtld-servers.net. com. 46346 IN NS c.gtld-servers.net. com. 46346 IN NS d.gtld-servers.net. com. 46346 IN NS e.gtld-servers.net. com. 46346 IN NS f.gtld-servers.net. com. 46346 IN NS g.gtld-servers.net. com. 46346 IN NS h.gtld-servers.net. com. 46346 IN NS i.gtld-servers.net. com. 46346 IN NS j.gtld-servers.net. com. 46346 IN NS k.gtld-servers.net. com. 46346 IN NS l.gtld-servers.net. com. 46346 IN NS m.gtld-servers.net. com. 46346 IN NS a.gtld-servers.net. ;; ADDITIONAL SECTION: b.gtld-servers.net. 108927 IN A 192.33.14.30 b.gtld-servers.net. 108186 IN AAAA 2001:503:231d::2:30 c.gtld-servers.net. 31139 IN A 192.26.92.30 d.gtld-servers.net. 30509 IN A 192.31.80.30 e.gtld-servers.net. 31139 IN A 192.12.94.30 f.gtld-servers.net. 31139 IN A 192.35.51.30 g.gtld-servers.net. 31139 IN A 192.42.93.30 h.gtld-servers.net. 110999 IN A 192.54.112.30 i.gtld-servers.net. 31139 IN A 192.43.172.30 j.gtld-servers.net. 31139 IN A 192.48.79.30 k.gtld-servers.net. 30509 IN A 192.52.178.30 l.gtld-servers.net. 31139 IN A 192.41.162.30 m.gtld-servers.net. 29335 IN A 192.55.83.30 ;; Query time: 49 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Feb 7 20:44:41 2005 ;; MSG SIZE rcvd: 493 I couldn't see the difference in the message, but a copy/paste revealed the difference, but I had gone to the site mentioned and clicked on the link they said to check. It said if I was vulnerable, it should have come up with paypal in the location bar but page from their site, but it didn't. I just triple checked, and it says "www.paypal.com could not be found. Please check the name and try again." Sorry for the long post. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871