RE: browser redirection to forward.domainname.at

From: Anthony Buser (ABuser@UnConundrum.com)
Date: 02/27/02 

Date: Wed, 27 Feb 2002 17:35:52 -0500
From: "Anthony Buser" <ABuser@UnConundrum.com>
To: <Matthew.van.Eerde@hbinc.com>, <focus-ms@securityfocus.com>

We are having the exact same problem as this today! Glad (sort of) that
I'm not alone. My research has turned up virtually no other discussion
relating to this.

The problem definitly appears to be dns poisoning. We're running win2k
DNS. Clearing the cache on the DNS servers and doing an ipconfig
/flushdns on the workstations fixed the problem. However it did start
to creep back and started happening again this afternoon.

When we check the DNS event viewer logs, we keep seeing the following
messages:

"event id: 5504, The DNS server encountered an invalid domain name in a
packet from x.x.x.x. The packet is rejected."

From the following ip addresses over and over again:

63.239.93.60
63.239.93.61
66.60.156.146

All of which appear to belong to the University of New Haven. I tried
contacting them via email but all addresses to newhaven.com appear to
fail. I have contacted upstream people, awaiting response. That last
ip address 66.60.156.146 worries me that someone is messing around
because it lists courses having to do with firewalls, viruses, and
cyberterrorism (gah!).

I'm running snort, but it hasn't seemed to pick up anything unusual.

I tried running tcpdump on our linux firewall to try and see what's
going on. Unfortunately I'm not very experienced with reading tcpdump
output, so I don't quite know whats going on:

tcpdump -vvne src host 66.60.156.146 or 63.239.93.60 or 63.239.93.61

13:37:48.274749 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
66.60.156.146.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl
53, id 17536)
13:37:48.274865 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
66.60.156.146.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl
52, id 17536)
13:37:48.314866 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
63.239.93.61.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 57, id 39714)
13:37:48.314972 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
63.239.93.61.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56, id 39714)
13:37:52.339289 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
63.239.93.60.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 57, id 16316)
13:37:52.339350 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
63.239.93.60.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56, id 16316)

Unfortunately I'm not knowledgable enough to understand what tcpdump is
saying to me.

-----Original Message-----
From: Matthew.van.Eerde@hbinc.com [mailto:Matthew.van.Eerde@hbinc.com]
Sent: Tuesday, February 26, 2002 11:29 AM
To: focus-ms@securityfocus.com
Cc: focus-virus@securityfocus.com
Subject: browser redirection to forward.domainname.at

A strange problem is surfacing on our network. Users will type in a
website
they have been to before, and they will be forwarded to

http://forward.domainname.at/http://212.69.172.16/forward.php
and then to
http://212.69.172.16/forward.php

Have we been hit by a virus? Or is there some name resolution hack on
the
internet?

Typing in the ip address of a site
http://216.168.252.86 for http://www.verisign.com for example
goes to the correct site. nslookup prompts from the command line yeild
the
correct IP address.

Workstations are Windows 2000 Professional SP2 with IE 6.

Matthew van Eerde
Software Engineer

Relevant Pages

  • RE: DNS help
    ... flags qtype qclass name ... you should be able to apply tcpdump to the raw data ... Subject: DNS help ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: No Internet Connection
    ... To find out what's really going on, use kppp to connect. ... cat /etc/resolv.conf (shows you your DNS configuration) ... > other side of the ppp connection, while watching it with tcpdump. ... Peter's advice about ping is certainly good, ...
    (comp.os.linux.misc)
  • Re: resolv.conf, bind9 and unresolvable local address
    ... but when doing a "ping imap.local" my DNS or another DNS isnt even queried (tcpdump on lo and eth0)!! ... host gives me the correct answer in any settings: ... no traffic at all on lo nor on eth0 - not on port 53 and not on any other port!!! ...
    (comp.os.linux.networking)
  • Re: network tuning and performance troubleshooting
    ... Slashdot takes almost a minute to load. ... You might want to run tcpdump and monitor one of those slow loads. ... I would tend to suspect DNS timeouts. ... with or without auto DNS assignment? ...
    (freebsd-questions)
  • Re: AD domain = Internet Domain
    ... Our A.D. server is in 192.168.16.10 with a DNS Server Service installed. ... The only way to get working was using the IP 207.46.248.16 as host. ... the problem is in the Linux Firewall configuration, or my DNS server is correctly configured? ...
    (microsoft.public.windows.server.active_directory)