RE: browser redirection to forward.domainname.at

From: Christopher Beers (ctbeers@syr.edu)
Date: 02/28/02 

Date: Wed, 27 Feb 2002 23:12:06 -0500
From: "Christopher Beers" <ctbeers@syr.edu>
To: <Matthew.van.Eerde@hbinc.com>, <focus-ms@securityfocus.com>, <ABuser@UnConundrum.com>

The first address seems to be registered to the DNS server EAST.UNHCA.COM. Try sending email to abuse/postmaster@unhca.com. This may help.

I found this information doing a whois search of the first IP address.

Regards,

Christopher T. Beers
UNIX Systems Engineer
Syracuse University - Computing and Media Services
(315) 443-4103 Office (315) 443-1621 Fax

>>> "Anthony Buser" <ABuser@UnConundrum.com> 02/27/02 05:35PM >>>
We are having the exact same problem as this today! Glad (sort of) that
I'm not alone. My research has turned up virtually no other discussion
relating to this.

The problem definitly appears to be dns poisoning. We're running win2k
DNS. Clearing the cache on the DNS servers and doing an ipconfig
/flushdns on the workstations fixed the problem. However it did start
to creep back and started happening again this afternoon.

When we check the DNS event viewer logs, we keep seeing the following
messages:

"event id: 5504, The DNS server encountered an invalid domain name in a
packet from x.x.x.x. The packet is rejected."

From the following ip addresses over and over again:

63.239.93.60
63.239.93.61
66.60.156.146

All of which appear to belong to the University of New Haven. I tried
contacting them via email but all addresses to newhaven.com appear to
fail. I have contacted upstream people, awaiting response. That last
ip address 66.60.156.146 worries me that someone is messing around
because it lists courses having to do with firewalls, viruses, and
cyberterrorism (gah!).

I'm running snort, but it hasn't seemed to pick up anything unusual.

I tried running tcpdump on our linux firewall to try and see what's
going on. Unfortunately I'm not very experienced with reading tcpdump
output, so I don't quite know whats going on:

tcpdump -vvne src host 66.60.156.146 or 63.239.93.60 or 63.239.93.61

13:37:48.274749 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
66.60.156.146.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl
53, id 17536)
13:37:48.274865 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
66.60.156.146.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl
52, id 17536)
13:37:48.314866 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
63.239.93.61.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 57, id 39714)
13:37:48.314972 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
63.239.93.61.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56, id 39714)
13:37:52.339289 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
63.239.93.60.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 57, id 16316)
13:37:52.339350 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
63.239.93.60.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56, id 16316)

Unfortunately I'm not knowledgable enough to understand what tcpdump is
saying to me.

-----Original Message-----
From: Matthew.van.Eerde@hbinc.com [mailto:Matthew.van.Eerde@hbinc.com]
Sent: Tuesday, February 26, 2002 11:29 AM
To: focus-ms@securityfocus.com
Cc: focus-virus@securityfocus.com
Subject: browser redirection to forward.domainname.at

A strange problem is surfacing on our network. Users will type in a
website
they have been to before, and they will be forwarded to

http://forward.domainname.at/http://212.69.172.16/forward.php
and then to
http://212.69.172.16/forward.php

Have we been hit by a virus? Or is there some name resolution hack on
the
internet?

Typing in the ip address of a site
http://216.168.252.86 for http://www.verisign.com for example
goes to the correct site. nslookup prompts from the command line yeild
the
correct IP address.

Workstations are Windows 2000 Professional SP2 with IE 6.

Matthew van Eerde
Software Engineer

Relevant Pages

  • Re: DNS
    ... >>> when sending email. ... What, if any, risk would be taken if I open that ... >>> port for the DNS server only? ...
    (comp.security.firewalls)
  • Re: DNS
    ... >> when sending email. ... What, if any, risk would be taken if I open that ... >> port for the DNS server only? ...
    (comp.security.firewalls)
  • Re: DNS
    ... > when sending email. ... What, if any, risk would be taken if I open that ... > port for the DNS server only? ...
    (comp.security.firewalls)
  • Re: Please Help
    ... Could be your DNS server isn't quick enough so you are getting time outs. ... > Not sure if this is the correct site but if it is here's the problem: ... > I'm on braid band, but only at 150 connection speed. ... > Any ideas on what could be wrong would be most grateful. ...
    (microsoft.public.windows.inetexplorer.ie6.setup)
  • Re: FW: [Full-Disclosure] Question for DNS pros
    ... > It seems to me you could do this without setting up a dns server. ... > tcpdump the traffic or sniff or snoop the traffic. ... > a snaplength of 1500 you'll get enough of the packet to see exactly what ... Comparing "real" queries to a functioning nameserver to what I'm trying to ...
    (Full-Disclosure)