RE: browser redirection to forward.domainname.at
From: Steuernagel.Jason (Jason.Steuernagel@IGT.com)Date: 02/28/02
- Previous message: Skinner, Kit: "RE: Microsoft Security Bulletin MS02-011"
- Maybe in reply to: Matthew.van.Eerde@hbinc.com: "browser redirection to forward.domainname.at"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steuernagel.Jason" <Jason.Steuernagel@IGT.com> To: 'Anthony Buser' <ABuser@UnConundrum.com>, Matthew.van.Eerde@hbinc.com, focus-ms@securityfocus.com Date: Thu, 28 Feb 2002 09:22:03 -0800
I ran into a similar issue about a year ago with some of our DNS. Our cache
was being poisoned and we were getting the same event messages. We also
found that our root cache had been changed, resulting in lookups beginning
in the wrong place (which then handed back incorrect information regarding
domains)
We looked all over for a description of what was happening (didn't find one)
and ended up adding some additional security to our DNS, which needed to be
set within the registry (this was nt 4.0 dns (2000 may have these options
available). We turned off caching (MaxCacheTtl, set all of our zones to
only accept transfers from servers we specified -SecureResponses, & disabled
our root cache from dynamically updating - AutoCacheUpdate) these registry
keys are discussed in this kb article.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q198408
-----Original Message-----
From: Anthony Buser [mailto:ABuser@UnConundrum.com]
Sent: Wednesday, February 27, 2002 2:36 PM
To: Matthew.van.Eerde@hbinc.com; focus-ms@securityfocus.com
Cc: focus-virus@securityfocus.com
Subject: RE: browser redirection to forward.domainname.at
We are having the exact same problem as this today! Glad (sort of) that I'm
not alone. My research has turned up virtually no other discussion relating
to this.
The problem definitly appears to be dns poisoning. We're running win2k DNS.
Clearing the cache on the DNS servers and doing an ipconfig /flushdns on the
workstations fixed the problem. However it did start to creep back and
started happening again this afternoon.
When we check the DNS event viewer logs, we keep seeing the following
messages:
"event id: 5504, The DNS server encountered an invalid domain name in a
packet from x.x.x.x. The packet is rejected."
From the following ip addresses over and over again:
63.239.93.60
63.239.93.61
66.60.156.146
All of which appear to belong to the University of New Haven. I tried
contacting them via email but all addresses to newhaven.com appear to fail.
I have contacted upstream people, awaiting response. That last ip address
66.60.156.146 worries me that someone is messing around because it lists
courses having to do with firewalls, viruses, and cyberterrorism (gah!).
I'm running snort, but it hasn't seemed to pick up anything unusual.
I tried running tcpdump on our linux firewall to try and see what's going
on. Unfortunately I'm not very experienced with reading tcpdump output, so
I don't quite know whats going on:
tcpdump -vvne src host 66.60.156.146 or 63.239.93.60 or 63.239.93.61
13:37:48.274749 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
66.60.156.146.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0 all.net.
MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net.,
all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl 53, id 17536)
13:37:48.274865 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
66.60.156.146.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0 all.net.
MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net.,
all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl 52, id 17536)
13:37:48.314866 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
63.239.93.61.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0 all.net. MX
all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net., all.net.
PTR localhost., all.net. (153) (ttl 57, id 39714) 13:37:48.314972 eth2 >
0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195: 63.239.93.61.domain > INTERNALIP.1063:
14308*- q: all.net. 5/0/0 all.net. MX all.net. 0, all.net. A 204.181.12.215,
all.net. PTR www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56,
id 39714) 13:37:52.339289 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
63.239.93.60.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0 all.net. MX
all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net., all.net.
PTR localhost., all.net. (153) (ttl 57, id 16316) 13:37:52.339350 eth2 >
0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195: 63.239.93.60.domain > INTERNALIP.1063:
14308*- q: all.net. 5/0/0 all.net. MX all.net. 0, all.net. A 204.181.12.215,
all.net. PTR www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56,
id 16316)
Unfortunately I'm not knowledgable enough to understand what tcpdump is
saying to me.
-----Original Message-----
From: Matthew.van.Eerde@hbinc.com [mailto:Matthew.van.Eerde@hbinc.com]
Sent: Tuesday, February 26, 2002 11:29 AM
To: focus-ms@securityfocus.com
Cc: focus-virus@securityfocus.com
Subject: browser redirection to forward.domainname.at
A strange problem is surfacing on our network. Users will type in a website
they have been to before, and they will be forwarded to
http://forward.domainname.at/http://212.69.172.16/forward.php
and then to
http://212.69.172.16/forward.php
Have we been hit by a virus? Or is there some name resolution hack on the
internet?
Typing in the ip address of a site
http://216.168.252.86 for http://www.verisign.com for example goes to the
correct site. nslookup prompts from the command line yeild the correct IP
address.
Workstations are Windows 2000 Professional SP2 with IE 6.
Matthew van Eerde
Software Engineer
- Previous message: Skinner, Kit: "RE: Microsoft Security Bulletin MS02-011"
- Maybe in reply to: Matthew.van.Eerde@hbinc.com: "browser redirection to forward.domainname.at"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
