Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Internet rerouting to wrong addresses?

Posted on 2006-07-21
12
Medium Priority
?
941 Views
Last Modified: 2012-05-05
Okay, urgently need this one figured out, folks.

If one of our users goes to a certain site (right now, there's a series of sites affected.  www.youtube.com, www.darcars.com, etc.) they get rerouted to another site all together.  This happens in both firefox and internet explorer, to all of our users.  I've checked the hosts file, it's fine, their browsers are not using any proxies, and their DNS is still correctly pointing to our DNS servers.  It doesn't happen with all sites, just certain ones.  Yahoo.com for example still works.  www3.youtube.com works, but www.youtube.com does not.

Is there some new exploit out there that we haven't heard about?  Despirately need this one fixed, folks.

-Javin
0
Comment
Question by:Javin007
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 8

Expert Comment

by:jessmca
ID: 17155983
What site are they getting redirected to?
0
 
LVL 2

Assisted Solution

by:masoncooper
masoncooper earned 400 total points
ID: 17155997
I know you checked your Hosts file, but you might want to double-check it, I've seen programs insert a long string of line-breaks in the file so that when you just glance at the file, it appears fine, but scrolling down to the bottom reveals the malicious entries.

If that doesn't work, you may want to go to a command prompt and type IPCONFIG /FLUSHDNS to clear out your DNS cache.  

If it still points to the wrong location, try pinging each of the affected sites and then do the same from a known-good machine, note the IP of both, that should help narrow down where the problem is stemming from.
0
 
LVL 4

Author Comment

by:Javin007
ID: 17156000
Can't figure that one out, because the address bar still says "www.youtube.com

I BELIEVE their IP is 69.90.42.5, but just trying to type that in as the address gives me an error.

-Javin
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 4

Author Comment

by:Javin007
ID: 17156118
Double-checked the hosts, and flushed the DNS, still no dice.  Unfortunately, we don't have a known "good" machine in the facility.  All of them are affected.  I had a buddy externally do a traceroute on youtube, and the ip isn't the same.  If I do an nslookup for the effected sites, they ALL return the same IP address.

-Javin
0
 
LVL 10

Assisted Solution

by:fm250
fm250 earned 400 total points
ID: 17156154
is this happening to all machines. are these machines up to date?
what os they have. this kind of problem usually happen to some machines because of a spyware.

So if it is not all machines then try to scan the ones with some spyware programs. here are some links:
add aware:
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5
spybot:
http://spybot.safer-networking.de/en/download/index.html
hijackthis:
http://www.majorgeeks.com/download3155.html

see this also:
http://www.spywareinfo.com/downloads.php?cat=sp#det

Security Task Manager displays detailed information about all running processes:
http://www.neuber.com/taskmanager/index.html

if it is not all machines however, this maybe something in the dns server , so check the server for any suspected services and also check the configuration.

hope this helps!
0
 
LVL 2

Expert Comment

by:masoncooper
ID: 17156163
If all other machines are affected, check the server that DNS is running on.  Nslookup Youtube.  If it comes back as the affected IP, check its Hosts file and if it's clear, check the DNS manager (if you're using MS DNS) for any odd entries.  Lastly, I'd take one of the machines (not the server), and hard-code its DNS server to be the upstream DNS that the DNS server is SUPPOSED to be using.  Nslookup Youtube again.  If it comes back bad again, you need to check with whoever maintains your upstream DNS because it would then look like THEY are the one feeding you the bad data.
0
 
LVL 8

Accepted Solution

by:
jessmca earned 1200 total points
ID: 17156314
I had this happen once before.
Restarting the dns server sorted it.  Has never recurred.
0
 
LVL 4

Author Comment

by:Javin007
ID: 17156327
Yeah, just checked the external DNS server that we're getting our DNS updated from, and it's clean, so it's definitely internal.  Trying a reboot now.

-Javin
0
 
LVL 4

Author Comment

by:Javin007
ID: 17156444
Well, the reboot seemed to work.  O.o  Odd.  Since everyone helped troubleshoot, I wanna throw some points to everyone, but I'll give you the majority, jessmca.

-Javin
0
 
LVL 8

Expert Comment

by:jessmca
ID: 17156494
Cheers
I never found out was caused this, but has not happened again since.  That was about 6 months ago
Sure it keeps you on your toes :)

0
 
LVL 10

Expert Comment

by:fm250
ID: 17157179
Thanks Javin, it seems that rebooting solve many of Micorsoft os/applications.
0
 
LVL 4

Author Comment

by:Javin007
ID: 17157240
I've been doing some further research trying to find the source, and apparently this is something called "DNS Poisoning."  

Having reviewed the logs, apparently someone "DNS Poisoned" our AT&T DNS servers.  Because we had a good amount of the DNS entries already cached on our OWN DNS server, (common ones like google, yahoo, hotmail, etc) those addresses weren't affected.  It was the "new" addresses that our DNS server grabbed from AT&T's that were 'poisoned' so rerouting us to the wrong site.

AT&T apparently caught the problem and fixed it rather quickly, but we'd already had some bad DNS entries cached on our end.  The reboot apparently flushed ALL of our local DNS entries, requiring them to be gathered from the AT&T servers again, which were now fixed.

So that's what happened on our end.  :)  Just thought I'd let you guys know in case you run into this in the future.

-Javin
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question