Lycos may accidentally have launched a denial-of-service attack against its own anti-spam campaign Web site, "Make Love Not Spam".
According to security company F-Secure on Thursday, one of the Web sites Lycos targeted in its zombie army attack -- www.mortgage.info -- redirected traffic back to www.makelovenotspam.com. This means that Lycos could have targeted its own Web site.
"The fact that the spammers re-routed the page shows they are fed up," said Mikko Hypponen, director of antivirus research at F-Secure. "But I think Lycos is not going to keep this up for long. It's certainly a pest, but it's not the grown-up way. We think this is not the right way to fight back and we advise users not to get involved."
The security company said that the mortgage.info Web site administrator put a meta refresh tag in its Web site, which redirected traffic back to Lycos.
Lycos did not respond to requests for comment on the issue.
F-Secure added it had received three independent reports from users who saw the Lycos Lycos Web site defaced yesterday. The company said the hackers may have used DNS poisoning -- a method of Web site misdirection -- to fool users into thinking they had defaced the site, when in fact they were looking at an entirely different Web page. Yesterday Lycos denied its servers had been attacked, which could suggest that both companies are correct.
Lycos' 'Make love not spam' campaign was reported to have killed access to some of the Web sites it was targeting.
Internet monitoring firm Netcraft said that Lycos took offline two Web sites hosted in China.
Lycos said yesterday its intention was not to carry out DDoS attacks, but to slow the bandwidth of its targets. It added it had no intention of taking Web sites offline.
Talkback
The "defacement" is not likely to have been a defacement - the nanog@nanog.org mailing list of the north american network operator group has a post stating that at least one backbone seems to have redirected any IP addresses it controls, that try to hit the makelovenotspam page (presumably to download the screensaver) to a warning page saying it had logged their IP.
Here's a post on the nanog mailing list, which gives a full sequence -
Hannigan, Martin <hannigan@verisign.com> wrote:
>> -----Original Message-----
>> From: Lionel [mailto:nop@alt.net]
>> Sent: Thursday, December 02, 2004 8:40 AM
>> To: Hannigan, Martin
>> Cc: nanog list
>> Subject: Re: How many backbones here are filtering the
>> makelovenotspam scr eensaver site?
>>
>>
>> On Thu, 2 Dec 2004 08:27:38 -0500 , "Hannigan, Martin"
>> <hannigan@verisign.com> wrote:
>>
>>>>> Hosted on a cablemodem? Tch, tch, how the mighty have fallen
>>>
>>>
>>> The blocks are widespread.
>>>
>>> The reports of hackers are incorrect. The blackholes are
>> what is stopping
>>> them.
>>
>> What amazing efficiency. I can't help but wonder if these
>> same providers
>> are as quick at blackholing spamsite hosts, or blocking the zombies
>> on their user networks from spewing spam on port 25?
>
> If you tied all the spammers into a few controllers, you see it happen
> immediately.
>
> I've been following the news reports on this. Here's a quick summary
> of "what I know" without making any judgement or opinion:
>
>
> - The lycos screensaver campaign activated Tuesday
> - Major networks began activating blocks
> - When the controllers can't be reached, the clients die off
> - If screensaver is active when controllers die, it runs
> off the current target list.
> - If screensaver deactivates, then activates, it can't
> contact the servers and tells the user it's "off the internet"
> (I can't verify the veracity of the update process i.e. if it
> will die while active)
> - Blocks started going up early Wednesday morning
> - The press began reporting hackers due to an apparentdefacement
> being seen by many users. What they actually saw was the banner of
> an ISP that had blackholed the traffic and redirected port
> 80 to a notice.
> - Lycos moved their application to a hosting facility with bigger
> pipes
> - Target sites began using redirects sending the traffic back
> to Lycos
> - Press reports are coming out today regarding the blackholes
> - SpamCop is the source of the target list via a page that is public
> off of the SpamCop site (SpamCop is does not appear to have
> complicity)
> - The effectiveness of the blackholes is rising
> - There are a reported 100K clients downloaded. Less than you would
> expect due to the voluminous press coverage. Probably a result of
> the blackhole activity as well.
>
> I'm really not sure if Lycos knows about the blackholes at
> this point as the press has been reporting "hackers" all the while.
> If you think it's hacked, check the route.
>
> Here's some operational data captured via ethereal
>
> The target list generated by the botnet controller:
>
> GET
> /xml/69426058014054/94772079193788/35264029467456/12122010129438/CONFIG_2865
> 2023942308.xml HTTP/1.1
> Referer:
> http://backend.makelovenotspam.com/xml/69426058014054/94772079193788/3526402
> 9467456/12122010129438/CONFIG_28652023942308.xml
> x-flash-version: 7,0,19,0
> User-Agent: Shockwave Flash
> Host: backend.makelovenotspam.com
> Cache-Control: no-cache
>
> HTTP/1.1 200 OK
> Server: Resin/2.1.14
> Content-Type: text/xml; charset=UTF-8
> Content-Length: 2889
> Connection: close
> Date: Thu, 02 Dec 2004 15:22:00 GMT
>
> <?xml version="1.0" encoding="UTF-8"?>
> <mlns><targets location="US"><target id="TVRBd01EQXdOVGt5"
> domain="myshopinternetcompany.com"
> url="http://myshopinternetcompany.com/?e=aa5100" bytes="357460680"
> hits="2572309" percentage