Solved

searchportal.information.com   <-- Cannot browse, this stops me.

Posted on 2007-04-04
24
5,886 Views
Last Modified: 2013-11-16
Hello all;

    This just started this evening, and the only way I am able to connect to EE is by use of
Our WinNT4 Servers. They seem to be uninfected. All of our Win2k and WinXP System's
Are infected with what ever this thing is.

  OK.
   I am able to browse onto Google.com. Do a Search.
When I click on a link, the page opens and tries to open the page, it then goes blank
With the Error at the bottom of IE, I click on the error and it states

Line   28
Char   1
Error   Object Required
Code  0
URL  http://searchportal.information.com/?0_id=60999&domainname=referer_detect

If I type in    http://www.msn.com
It also gives me the same problems.

One of the computers is a fresh install, and I am unable to connect to anything outside of Google.com
That means that I am unable to use: MSN, Yahoo Messengers/
I am basically a prisoner on 3 computers in the network at the moment.

Any idea's/suggestions on this issue will be great.
Thank you
carrzkiss
0
Comment
Question by:Wayne Barron
  • 7
  • 6
  • 3
  • +2
24 Comments
 
LVL 14

Expert Comment

by:warrenbuckles
ID: 18855772
Hello carrzkiss:

Your network has gotten infected by malware  that has hijacked your traffic to searchportal.information.com.

I'm not sure how your network is configured but it looks like your internet traffic from the client systems is going out through your servers - I don't know if the infection is there on on the client machines.  From the looks of your error it might be in a CSS style sheet but I'm not sure.

I would do a spyware sweep of your systems and network pronto.

wb
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18855940
Hi,
You can either run malware scanners like;
1. SUPERANtispyware:
http://www.superantispyware.com/


OR:
2.  Show us a hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites, or to the site below:
paste the log to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 18857137
Strange!!!!!!

  OK.. I went into the properties, for my NIC Card.
And changed it from "Obtain IP Automatically"
To an assigned IP And DNS Address's.
That FIXED the problem on my Laptop.
So I then went in and changed the IP address's on the other computers as well
And now all the systems are running without any problems.

Very Very strange?

I do not know what to do about this question.
So, I am going to say that it will be:  PAQ/Refund

If any comments on this, please make it known when it is done.

Thank you both for your comments.
And "rpggamegirl"
I love how you explain things, you remind me of myself when I explain thing on here.
It was kind-of weird though having someone treat me like a beginner, but none-the-less.
It was like a breath of fresh air.

Later All;
Carrzkiss
0
 
LVL 14

Expert Comment

by:warrenbuckles
ID: 18858025
Looks like it was just a hijack of your DNS setup.

It would be interesting to know how it happened - something penetrated your network's defenses.

wb
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 18858667
Warren = Yes, it would be nice to know how it happened.
I will do some checking in my DNS and see what is going on with it.
And see if there is a problem with it, as I bypassed my DNS all together and
Pointed to our ISP's DNS instead.

I will report back my findings, IF I can find out anything.

Take Care And Thanks.
Carrzkiss
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18861696
>>It was kind-of weird though having someone treat me like a beginner, but none-the-less.<<

carrzkiss,
Sorry if my post has offended you somehow. It is my "canned speech" that also suits for anyone who hasn't used hijackthis before. I've been asked many times when I don't post instructions, like; "what do you mean fix? how do I fix entries?"

Yes, a lot of people don't need instructions, but some people also need it, so that's what the canned speech is for. I don't mean to offend anyone, it is JUST a canned speech that I copy and paste, :)
Again, I'm sorry for that.

Please post at the Community support and ask the mods to FAQ'ed this question and refund your points.
http://www.experts-exchange.com/Other/Community_Support/

I answered my question myself, what do I do?
http://www.experts-exchange.com/help.jsp#hi70

Closing questions:
http://www.experts-exchange.com/help.jsp#hs5
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 18861926
rpggamergirl.

  No, absolutely no offense what so ever, I am sorry that I made it sound like it did.

I have already done a PAQ/Refund Request.
I took care of that right after my post on what I did to fix the issue.

Take Care All
Carrzkiss
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 18870724
Hello Vee_Mod.

  Yep, that was one of the first things that I checked as well.
Been nice if that would have been the cause, but infortunantly not, in this case.
0
 
LVL 2

Expert Comment

by:RichardCorbett
ID: 18879329
This is now happening to me as well.  It all started on 4/7.  We've been trouble-shooting it since this morning.  It comes and goes, but we can't put a finger on it as to where the redirect stems from.

I've checked our internal DNS servers and each and every response is correct.  Looking at our local dns cache and server dns cache revealed nothing out of the norm.
I've checked our firewalls \ proxy devices and they are functioning to be expected.
If I type in the IP addresses as they resolve from running nslookup, the correct sites display.
Has anyone figured this out?  It seems like DNS or ARP poisoning to some degree, but I can't figure out where.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Expert Comment

by:RichardCorbett
ID: 18879349
I forgot to mention, our hosts files were clean.  We've rebooted pc's, dns servers, firewalls, you name it.  No dice.

Since we use bandwidth aggregators \ load balancers, I've tried using each of the three internet connections that we have trying to rule out a downstream ISP issue.

It's definitely not a spyware issue - our machines are clean...

Any ideas?
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 18879897
There is nothing on our end that would be causing this issue.
The only thing that I can think of is that our ISP's DNS got Hijacked,
Several years ago a friend of mine ran a small ISP, and his DNS Got Hijacked
And when that happened, all of his customers could not browse the Internet.
So, I am thinking that maybe this might have happened to our ISP which is "Charter".

This is just a guess, so up for more guess's.

Carrzkiss
0
 
LVL 2

Expert Comment

by:RichardCorbett
ID: 18882656
That was an assumption of mine as well, but being that we have three ISP's I concluded that it just couldn't be possible.  New Edge, Verizon, & Lightpath all can't be screwed up.  

Furthermore, we host our own internal DNS which answers queries properly...  If I go into dos and run "NSLOOKUP www.google.com" it answers back a valid google IP.  If I put that IP into a browser, it works.  If I put www.google.com into a browser I get searchportal.information.com - this is crazy...
0
 
LVL 30

Author Comment

by:Wayne Barron
ID: 18883807
I know.
I am not sure what the deal is then. We run our own DNS as well, and everything is working
Properly on this end, so I am at a loss as well.
I really have no other solution in this issue. The only thing that I know to do to by-pass
The issue is too assign a Static Internal IP Address to the machines that are affected by this
And you should no longer see the issue.

Still looking for more suggestions on this issue.
0
 
LVL 2

Expert Comment

by:RichardCorbett
ID: 18884327
Maybe it is a DHCP issue in the way that it assigns the Netbios search options.

Under DHCP Manager, Under Server Options, what do you have listed under node type 046?

The options are:
0x1  B-Node
0x2  P-Node
0x4  M-Node
0x8  H-Node

We previously always ran M-Node but found that our resolutions for machine names were slow due to the broadcasts...  We had changed it to H-Node a few weeks ago.  I'll try changing it back and see if it helps things any...

You can google this stuff, but as far as I know - H-node tells the client to try WINS first, if that fails broadcast for the IP address.  M-node which means Broadcast first then ask a WINS server for the IP Address.  Now whether or not this happens in before of after DNS or what's really happening, I don't know.  But I'm willing to try anything at this point in time.




0
 
LVL 2

Expert Comment

by:RichardCorbett
ID: 18884394
No instant success.  I changed the DHCP option back to M-Node and had no luck on my PC...  I'll keep it on M and let it settle a bit to see if the user community experiences any improvement.  For now, I'll trying going static next...  

Here are proper definitions for the node types by the way:

B-node (not recommended)
Multicast queriers and listeners
Listen on both linklocal and local scopes
MUST NOT send DNS queries via unicast
Cannot resolve names outside the scope of multicast DNS

P-node
Use DNS via unicast only
MUST NOT send multicast queries, listen for them or respond to them
Default behavior for clients configured via DHCP but not receiving mDNS configuration option (existing behavior)

M-node
Use multicast queries prior to unicast
Listen on both linklocal and local scopes

H-node
Use unicast queries prior to multicast
Listen on both linklocal and local scopes
0
 

Accepted Solution

by:
imagin earned 250 total points
ID: 18885146
This same "searchportal.information.com" just appeared on our network sometime around April 7th or 8th.  We have also been perplexed while trying to find how it happened.
We had decided it must have something to do with DNS so we flushed the DNS cache and rebooted the server and it started working properly.  However, the other servers still did not work properly until we rebooted each server individually.  Each started working properly after the reboot.  This leads us to believe that it was somehow hijacked into the DNS cache.

What puzzles us it that an NSLOOKUP would always return proper IP's, but the browsers would not.

If this helps or anyone finds how this happened, we are anxious to figure this out.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18885894
Take a look at this searchportal redirection here, how his problem was solved:

http://72.14.235.104/search?q=cache:0iM0Na10K74J:www.tek-tips.com/viewthread.cfm%3Fqid%3D1267416%26page%3D2+searchportal.information.com/&hl=en&ct=clnk&cd=5&gl=au

>>I'VE GOT IT!!!

I can't believe this.
Because in work (remember this is a company laptop), we use serveral different internal domains, I have a added them into the "append these dns suffixes" box in the tcpip properties.
The first domain in the list has been registered as a real TLD and goes to a page which contains this searchportal stuff.
So if I was typing wefcwwewdfw.couk it was actually trying to resolve eroergerg.couk.domain.com, and ending up there.
this seems to have solved the problem<<<
0
 
LVL 2

Expert Comment

by:RichardCorbett
ID: 18887939
imagin:  I've tried clearing the cache on the server and bouncing the services to no avail.  I've even went and flushed the cache on both DNS servers and clients that I've been testing with (ipconfig /flushdns).

Vee \ rpggamergirl:  I also read that and likewise tested it.  We use straight-up DHCP with no extras within our TCP/IP dns properties...  

I'm going to reboot the servers as per imagin's recommendation and report back.
0
 
LVL 2

Expert Comment

by:RichardCorbett
ID: 18887980
So far, so good with regard to the DNS server reboots.  No more redirections...  I'll recheck in the morning.

Thanks imagin!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now