SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Saturday, May 22, 2010

Watch Your WHOIS Entries

Posted on 6:01 PM by Unknown
Thanks to sites like the Sucuri Security blog, domain name administrators should be learning that it is important to watch for updates to WHOIS records. Companies like Sucuri offer such a service free for one domain but charge for additional domains while providing extended services. If you'd just like to monitor your own WHOIS records using a simple script, you can be inspired by last year's article Network-based integrity monitoring keeps website hacks in check by David Davidson.

I decided to create the following simple script to watch two of my domains.

richard@macmini:~/check$ cat check.sh 
#/bin/sh
/usr/bin/whois bejtlich.net > /home/richard/check/bejtlich.net.whois.new.txt
/usr/bin/whois taosecurity.com > /home/richard/check/taosecurity.com.whois.new.txt

/usr/bin/diff -u /home/richard/check/bejtlich.net.whois.old.txt \ 
/home/richard/check/bejtlich.net.whois.new.txt | mail -s "bejtlich.net whois check" taosecurity@gmail.com
/usr/bin/diff -u /home/richard/check/taosecurity.com.whois.old.txt \
 /home/richard/check/taosecurity.com.whois.new.txt | mail -s "taosecurity.com whois check" taosecurity@gmail.com

mv /home/richard/check/bejtlich.net.whois.new.txt /home/richard/check \
/bejtlich.net.whois.old.txt
mv /home/richard/check/taosecurity.com.whois.new.txt /home/richard/check \
/taosecurity.com.whois.old.txt

Is this the world's greatest shell script? No, I wrote it in 60 seconds to make my point. Feel free to create something uber-cool and post it here. :)

Next I created empty files:

$ echo "" > bejtlich.net.whois.old.txt
$ echo "" > taosecurity.com.whois.old.txt

Finally I ran the check:

$ ./check.sh

Checking my email, I got two. Here's the one for bejtlich.net:

--- /home/richard/check/bejtlich.net.whois.old.txt      2010-05-22 20:52:58.000000000 -0400
+++ /home/richard/check/bejtlich.net.whois.new.txt      2010-05-22 20:53:05.000000000 -0400
@@ -1 +1,106 @@

+Whois Server Version 2.0
+
+Domain names in the .com and .net domains can now be registered
+with many different competing registrars. Go to http://www.internic.net
+for detailed information.
+
+   Domain Name: BEJTLICH.NET
+   Registrar: GODADDY.COM, INC.
+   Whois Server: whois.godaddy.com
+   Referral URL: http://registrar.godaddy.com
+   Name Server: NS18.ZONEEDIT.COM
+   Name Server: NS8.ZONEEDIT.COM
+   Status: clientDeleteProhibited
+   Status: clientRenewProhibited
+   Status: clientTransferProhibited
+   Status: clientUpdateProhibited
+   Updated Date: 22-may-2010
+   Creation Date: 01-jul-2000
+   Expiration Date: 01-jul-2011
...truncated...

As you can see it's "all new" because the old file was empty.

When I run the check again, I should get no significant changes via email.

--- /home/richard/check/bejtlich.net.whois.old.txt      2010-05-22 20:53:05.000000000 -0400
+++ /home/richard/check/bejtlich.net.whois.new.txt      2010-05-22 20:55:28.000000000 -0400
@@ -19,7 +19,7 @@
   Creation Date: 01-jul-2000
   Expiration Date: 01-jul-2011

->>> Last update of whois database: Sun, 23 May 2010 00:52:33 UTC <<<
+>>> Last update of whois database: Sun, 23 May 2010 00:54:20 UTC <<<
- Hide quoted text -

 NOTICE: The expiration date displayed in this record is the date the
 registrar's sponsorship of the domain name registration in the registry is

You could argue not to use diff -u to simplify the output. Sure, you could. I just prefer seeing some context when changes do occur.

Now I'm going to add another DNS server to my WHOIS record and see if my script catches the change.

Reading email...

--- /home/richard/check/bejtlich.net.whois.old.txt      2010-05-22 20:55:28.000000000 -0400
+++ /home/richard/check/bejtlich.net.whois.new.txt      2010-05-22 20:58:09.000000000 -0400
@@ -10,6 +10,7 @@
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: NS18.ZONEEDIT.COM
+   Name Server: NS5.ZONEEDIT.COM
   Name Server: NS8.ZONEEDIT.COM
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
@@ -19,7 +20,7 @@
   Creation Date: 01-jul-2000
   Expiration Date: 01-jul-2011

->>> Last update of whois database: Sun, 23 May 2010 00:54:20 UTC <<<
+>>> Last update of whois database: Sun, 23 May 2010 00:57:09 UTC <<<

 NOTICE: The expiration date displayed in this record is the date the
 registrar's sponsorship of the domain name registration in the registry is
@@ -103,4 +104,5 @@
   Domain servers in listed order:
      NS18.ZONEEDIT.COM
      NS8.ZONEEDIT.COM
+      NS5.ZONEEDIT.COM

There it is -- ns5.zoneedit.com. If I hadn't made that change, then I would know someone has compromised my account.

The next evolution of this script is to run it from cron, and better yet modify it so I only get an email if there is a change. For now, I have a simple way to watch for changes. Again, Sucuri should take credit for bringing this to people's attention during the last 2 years or so.
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • DojoCon Videos Online
    Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud secur...
  • Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York
    I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-da...
  • SANS WhatWorks Summit in Forensics and Incident Response
    I wanted to remind everyone about the SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. The Agenda looks gre...
  • Sguil 0.7.0 on Ubuntu 9.10
    Today I installed a Sguil client on a fresh installation of Ubuntu 9.10. It was really easy with the exception of one issue I had to troubl...
  • Microsoft Updates MS09-048 to Show XP Vulnerable to 2 of 3 CVEs
    Microsoft published a Major Revision of MS09-048 to show that Windows XP Service Pack 2 and Windows XP Service Pack 3* are now Affected So...
  • BeyondTrust Report on Removing Administrator: Correct?
    Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis . The report offers several interesting ...
  • Human Language as the New Programming Language
    If you've read the blog for a while you know I promote threat-centric security in addition to vulnerability-centric security. I think ...
  • DNI Blair Leads with APT as a "Wake-Up Call"
    AFP is one of the few news outlets that correctly focused on the key aspect of testimony by US Director of National Intelligence Dennis Bla...
  • SANS Forensics and Incident Response 2009
    The agenda for the second SANS WhatWorks Summit in Forensics and Incident Response has been posted. I am really happy to see I am speakin...
  • NYCBSDCon 2010 Registration Open
    Registration for NYCBSDCon 2010 is now open. As usual George and friends have assembled a great schedule ! If you're in the New York...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ▼  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ▼  May (15)
      • National Security Strategy is Empty on "Cyberspace"
      • Digital Security Is Not Just an Engineering Problem
      • "Privacy" vs "Security" or Privacy AND Security
      • More Evidence Military Will Eventually Defend Civi...
      • SANS WhatWorks Summit in Forensics and Incident Re...
      • Forget Pre-Incident Cost, How Much Did Your Last I...
      • More on Black Hat Costs
      • Watch Your WHOIS Entries
      • Review of Masters of Deception Posted
      • Review of Cyberpunk Posted
      • Review of The Hacker Crackdown Posted
      • Everything I Need to Know About Leadership I Learn...
      • Papers Not PowerPoint, Plus Tips for Improvement
      • Bejtlich to Speak at SANS Forensics and Incident R...
      • The Face of Information Warfare
    • ►  April (15)
    • ►  March (16)
    • ►  February (19)
    • ►  January (25)
  • ►  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile