Re: [OT] Normal / virus / hijack?
From: Fred Marshall (fmarshallx_at_remove_the_x.acm.org)
Date: 07/05/04
- Next message: Dave: "Backdoor Trojans"
- Previous message: DaBomb: "PowerReg Scheduler v3 ???"
- In reply to: Jason Wade: "Re: [OT] Normal / virus / hijack?"
- Next in thread: Fred Marshall: "Re: [OT] Normal / virus / hijack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 5 Jul 2004 12:51:16 -0700
Jason,
OK, I ran a test. I had 6 DNS servers listed on this machine.
I removed them one by one and added some back one by one.
With no DNS servers the problem went away.
Adding *any* DNS server caused the problem to come back: including your
207.217.77.82.
If I look at the Properties of the page that appears, it has the title:
????????_BuyDomains.com_????`???
The second, added page that appears is:
http://www.seeq.com/popupwrapper.jsp?domain=dfnv9y8tijng.org
The IP address traces back to UUNET - so I've sent them a message.
So, I hope this helps because it's not clear to me how to figure out the
next steps.
Fred
"Jason Wade" <jw.strawberry.yogurt+nospam@earthlink.net> wrote in message
news:ofVFc.319$sD4.77@newsread3.news.atl.earthlink.net...
> On Sun, 04 Jul 2004 00:35:51 -0500, Fred Marshall wrote:
>
> > OK - so
> > "Jason Wade" <jw.strawberry.yogurt+toline@earthlink.net> wrote in
message
> > news:pan.2004.06.30.04.02.24.639624.743@earthlink.net...
> >> On Tue, 29 Jun 2004 18:28:17 -0500, Fred Marshall wrote:
> >>
> >> > More information again:
> >> >
> >> > Incorrect URLs ending in ".com" seem to result in a normal Error
page.
> >> >
> >> > Incorrect URLs ending in ".net" or ".org" are redirected as
described.
> >> >
> >> > Try this one:
> >> >
> >> > www.centuryte.net which is a typo on centurytel...
> >> >
> >> > What do YOU get??
> >> >
> >>
> >> It seems to have been fixed (at least here):
> >>
> >> $ host www.centuryte.net
> >> Host www.centuryte.net. not found: 3(NXDOMAIN)
> >>
> >> $ host errfkdfksdlfjkdsl
> >> Host errfkdfksdlfjkdsl. not found: 3(NXDOMAIN)
> >>
> >> $ host www.centurytel.net
> >> www.centurytel.net. has address 209.142.136.209
> >>
> >
> > Right. So, I'm still suspecting that this is a hijack of the default
page
> > for DNS error under some circumstances.
> >
> > Where / how to report this?
> >
> > Thanks,
> >
> > Fred
>
> Report what? First you need to know what is happening: is it dns
> wildcarding outside your machine, or is it spyware inside your machine?
>
> If dotster has put a wildcard in their dns service to resolve all names,
> that is unethical, and I imagine that you could contact icann (?).
>
> If someone has hijacked your personal machine's dns system by installing
> spyware, you would contact the upstream of the website
> that you're being redirected to. (Do not complain directly to spammers
> and system crackers unless you want to be joejobbed.)
>
> But don't do anything until you know that there still is a problem. I
don't
> see the problem right now, so I think it was just one of the
> registrars seeing if they can do a "verislime" and get away with it. They
> tried it, they got spanked, and they cut it out.
>
> BTW, right now the only nameserver I'm using is 207.217.77.82. I decided
> to use as few nameservers as possible to avoid the "dns wildcard"
> problem.
>
> Perhaps you're using another nameserver that peers with a registrar
> that's pulling a "verislime".
>
> Check your dns settings, and (only if you still see this problem) please
let
> me know what nameservers you're using.
>
> --
> If malware = scumbag, commercial malware = scumbag + business plan.
> -- cquirke (MVP Win9x) in microsoft.public.security.virus
>
- Next message: Dave: "Backdoor Trojans"
- Previous message: DaBomb: "PowerReg Scheduler v3 ???"
- In reply to: Jason Wade: "Re: [OT] Normal / virus / hijack?"
- Next in thread: Fred Marshall: "Re: [OT] Normal / virus / hijack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
