Solved

Internet rerouting to wrong addresses?

Posted on 2006-07-21
12
928 Views
Last Modified: 2012-05-05
Okay, urgently need this one figured out, folks.

If one of our users goes to a certain site (right now, there's a series of sites affected.  www.youtube.com, www.darcars.com, etc.) they get rerouted to another site all together.  This happens in both firefox and internet explorer, to all of our users.  I've checked the hosts file, it's fine, their browsers are not using any proxies, and their DNS is still correctly pointing to our DNS servers.  It doesn't happen with all sites, just certain ones.  Yahoo.com for example still works.  www3.youtube.com works, but www.youtube.com does not.

Is there some new exploit out there that we haven't heard about?  Despirately need this one fixed, folks.

-Javin
0
Comment
Question by:Javin007
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 8

Expert Comment

by:jessmca
ID: 17155983
What site are they getting redirected to?
0
 
LVL 2

Assisted Solution

by:masoncooper
masoncooper earned 100 total points
ID: 17155997
I know you checked your Hosts file, but you might want to double-check it, I've seen programs insert a long string of line-breaks in the file so that when you just glance at the file, it appears fine, but scrolling down to the bottom reveals the malicious entries.

If that doesn't work, you may want to go to a command prompt and type IPCONFIG /FLUSHDNS to clear out your DNS cache.  

If it still points to the wrong location, try pinging each of the affected sites and then do the same from a known-good machine, note the IP of both, that should help narrow down where the problem is stemming from.
0
 
LVL 4

Author Comment

by:Javin007
ID: 17156000
Can't figure that one out, because the address bar still says "www.youtube.com"

I BELIEVE their IP is 69.90.42.5, but just trying to type that in as the address gives me an error.

-Javin
0
 
LVL 4

Author Comment

by:Javin007
ID: 17156118
Double-checked the hosts, and flushed the DNS, still no dice.  Unfortunately, we don't have a known "good" machine in the facility.  All of them are affected.  I had a buddy externally do a traceroute on youtube, and the ip isn't the same.  If I do an nslookup for the effected sites, they ALL return the same IP address.

-Javin
0
 
LVL 10

Assisted Solution

by:fm250
fm250 earned 100 total points
ID: 17156154
is this happening to all machines. are these machines up to date?
what os they have. this kind of problem usually happen to some machines because of a spyware.

So if it is not all machines then try to scan the ones with some spyware programs. here are some links:
add aware:
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5
spybot:
http://spybot.safer-networking.de/en/download/index.html
hijackthis:
http://www.majorgeeks.com/download3155.html

see this also:
http://www.spywareinfo.com/downloads.php?cat=sp#det

Security Task Manager displays detailed information about all running processes:
http://www.neuber.com/taskmanager/index.html

if it is not all machines however, this maybe something in the dns server , so check the server for any suspected services and also check the configuration.

hope this helps!
0
 
LVL 2

Expert Comment

by:masoncooper
ID: 17156163
If all other machines are affected, check the server that DNS is running on.  Nslookup Youtube.  If it comes back as the affected IP, check its Hosts file and if it's clear, check the DNS manager (if you're using MS DNS) for any odd entries.  Lastly, I'd take one of the machines (not the server), and hard-code its DNS server to be the upstream DNS that the DNS server is SUPPOSED to be using.  Nslookup Youtube again.  If it comes back bad again, you need to check with whoever maintains your upstream DNS because it would then look like THEY are the one feeding you the bad data.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 8

Accepted Solution

by:
jessmca earned 300 total points
ID: 17156314
I had this happen once before.
Restarting the dns server sorted it.  Has never recurred.
0
 
LVL 4

Author Comment

by:Javin007
ID: 17156327
Yeah, just checked the external DNS server that we're getting our DNS updated from, and it's clean, so it's definitely internal.  Trying a reboot now.

-Javin
0
 
LVL 4

Author Comment

by:Javin007
ID: 17156444
Well, the reboot seemed to work.  O.o  Odd.  Since everyone helped troubleshoot, I wanna throw some points to everyone, but I'll give you the majority, jessmca.

-Javin
0
 
LVL 8

Expert Comment

by:jessmca
ID: 17156494
Cheers
I never found out was caused this, but has not happened again since.  That was about 6 months ago
Sure it keeps you on your toes :)

0
 
LVL 10

Expert Comment

by:fm250
ID: 17157179
Thanks Javin, it seems that rebooting solve many of Micorsoft os/applications.
0
 
LVL 4

Author Comment

by:Javin007
ID: 17157240
I've been doing some further research trying to find the source, and apparently this is something called "DNS Poisoning."  

Having reviewed the logs, apparently someone "DNS Poisoned" our AT&T DNS servers.  Because we had a good amount of the DNS entries already cached on our OWN DNS server, (common ones like google, yahoo, hotmail, etc) those addresses weren't affected.  It was the "new" addresses that our DNS server grabbed from AT&T's that were 'poisoned' so rerouting us to the wrong site.

AT&T apparently caught the problem and fixed it rather quickly, but we'd already had some bad DNS entries cached on our end.  The reboot apparently flushed ALL of our local DNS entries, requiring them to be gathered from the AT&T servers again, which were now fixed.

So that's what happened on our end.  :)  Just thought I'd let you guys know in case you run into this in the future.

-Javin
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now