Internet rerouting to wrong addresses?

Okay, urgently need this one figured out, folks.

If one of our users goes to a certain site (right now, there's a series of sites affected.  www.youtube.com, www.darcars.com, etc.) they get rerouted to another site all together.  This happens in both firefox and internet explorer, to all of our users.  I've checked the hosts file, it's fine, their browsers are not using any proxies, and their DNS is still correctly pointing to our DNS servers.  It doesn't happen with all sites, just certain ones.  Yahoo.com for example still works.  www3.youtube.com works, but www.youtube.com does not.

Is there some new exploit out there that we haven't heard about?  Despirately need this one fixed, folks.

-Javin
LVL 4
Javin007Asked:
Who is Participating?
 
jessmcaConnect With a Mentor Commented:
I had this happen once before.
Restarting the dns server sorted it.  Has never recurred.
0
 
jessmcaCommented:
What site are they getting redirected to?
0
 
masoncooperConnect With a Mentor Commented:
I know you checked your Hosts file, but you might want to double-check it, I've seen programs insert a long string of line-breaks in the file so that when you just glance at the file, it appears fine, but scrolling down to the bottom reveals the malicious entries.

If that doesn't work, you may want to go to a command prompt and type IPCONFIG /FLUSHDNS to clear out your DNS cache.  

If it still points to the wrong location, try pinging each of the affected sites and then do the same from a known-good machine, note the IP of both, that should help narrow down where the problem is stemming from.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Javin007Author Commented:
Can't figure that one out, because the address bar still says "www.youtube.com

I BELIEVE their IP is 69.90.42.5, but just trying to type that in as the address gives me an error.

-Javin
0
 
Javin007Author Commented:
Double-checked the hosts, and flushed the DNS, still no dice.  Unfortunately, we don't have a known "good" machine in the facility.  All of them are affected.  I had a buddy externally do a traceroute on youtube, and the ip isn't the same.  If I do an nslookup for the effected sites, they ALL return the same IP address.

-Javin
0
 
fm250Connect With a Mentor Commented:
is this happening to all machines. are these machines up to date?
what os they have. this kind of problem usually happen to some machines because of a spyware.

So if it is not all machines then try to scan the ones with some spyware programs. here are some links:
add aware:
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5
spybot:
http://spybot.safer-networking.de/en/download/index.html
hijackthis:
http://www.majorgeeks.com/download3155.html

see this also:
http://www.spywareinfo.com/downloads.php?cat=sp#det

Security Task Manager displays detailed information about all running processes:
http://www.neuber.com/taskmanager/index.html

if it is not all machines however, this maybe something in the dns server , so check the server for any suspected services and also check the configuration.

hope this helps!
0
 
masoncooperCommented:
If all other machines are affected, check the server that DNS is running on.  Nslookup Youtube.  If it comes back as the affected IP, check its Hosts file and if it's clear, check the DNS manager (if you're using MS DNS) for any odd entries.  Lastly, I'd take one of the machines (not the server), and hard-code its DNS server to be the upstream DNS that the DNS server is SUPPOSED to be using.  Nslookup Youtube again.  If it comes back bad again, you need to check with whoever maintains your upstream DNS because it would then look like THEY are the one feeding you the bad data.
0
 
Javin007Author Commented:
Yeah, just checked the external DNS server that we're getting our DNS updated from, and it's clean, so it's definitely internal.  Trying a reboot now.

-Javin
0
 
Javin007Author Commented:
Well, the reboot seemed to work.  O.o  Odd.  Since everyone helped troubleshoot, I wanna throw some points to everyone, but I'll give you the majority, jessmca.

-Javin
0
 
jessmcaCommented:
Cheers
I never found out was caused this, but has not happened again since.  That was about 6 months ago
Sure it keeps you on your toes :)

0
 
fm250Commented:
Thanks Javin, it seems that rebooting solve many of Micorsoft os/applications.
0
 
Javin007Author Commented:
I've been doing some further research trying to find the source, and apparently this is something called "DNS Poisoning."  

Having reviewed the logs, apparently someone "DNS Poisoned" our AT&T DNS servers.  Because we had a good amount of the DNS entries already cached on our OWN DNS server, (common ones like google, yahoo, hotmail, etc) those addresses weren't affected.  It was the "new" addresses that our DNS server grabbed from AT&T's that were 'poisoned' so rerouting us to the wrong site.

AT&T apparently caught the problem and fixed it rather quickly, but we'd already had some bad DNS entries cached on our end.  The reboot apparently flushed ALL of our local DNS entries, requiring them to be gathered from the AT&T servers again, which were now fixed.

So that's what happened on our end.  :)  Just thought I'd let you guys know in case you run into this in the future.

-Javin
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.