Organization IP address is getting redirected to a website which does not belong to the organization.

Alberto ---- alcol at hotmail.com
Sat Sep 17 16:42:44 UTC 2016


A security scan is only a probe and does not change in any way a web server content or configuration.


performing a http://x1.x2.x3.x4 statement where x... are the 4 IP octect does not involve DNS in any way


IP is loaded inside IEEE MAC "train" but work with dottet IPv4 /v6 addresses and not with DNS names.


When you ask a NAME (not an IP) is resolved from any DNS configured inside your TCP/IP configuration but if you ask a direct IP , DNS is totally jumped and is a DIRECT CALL




________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Bhangui, Sandeep - BLS CTR <Bhangui.Sandeep at bls.gov>
Sent: Saturday, September 17, 2016 6:33 PM
To: John Miller
Cc: bind-users at lists.isc.org
Subject: RE: Organization IP address is getting redirected to a website which does not belong to the organization.

Thanks John

Security Dept from BLS reported this to our team which manages the DNS and infrastructure.   I think some scans run by them on the network may have caught this not sure though.

And yes we do not have any record for that IP in our DNS for bls.gov zone.

Sandeep



-----Original Message-----
From: John Miller [mailto:johnmill at brandeis.edu]
Sent: Saturday, September 17, 2016 12:14 PM
To: Bhangui, Sandeep - BLS CTR <Bhangui.Sandeep at bls.gov>
Cc: bind-users at lists.isc.org <bind-users at isc.org>
Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization.

Hi Sandeep,

The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address and got:

john at millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113...
Connected to 146.142.7.113.
Escape character is '^]'.
GET / HTTP/1.1
Host: 146.142.7.113

HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 16:30:46 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

Connection closed by foreign host.

But something is definitely listening on that IP address.  Could be a rogue device or some sort of routing issue.  Here's a traceroute from the Brandeis network:

traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets
 1  129.64.99.1 (129.64.99.1)  1.112 ms  1.127 ms  0.981 ms
 2  * * *
 3  * * *
 4  * * *
 5  te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1)  2.471 ms
2.427 ms  2.375 ms
 6  be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13)  8.046 ms
7.721 ms  7.546 ms
 7  be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106)  13.692 ms
13.661 ms  13.665 ms
 8  be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106)  14.765 ms
14.832 ms  14.701 ms
 9  verizon.iad02.atlas.cogentco.com (154.54.10.198)  13.629 ms
204.148.79.53 (204.148.79.53)  12.886 ms  12.862 ms
10  0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195)  49.347 ms 0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207)  15.000 ms 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195)  49.297 ms
11  GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21)  14.489 ms
14.502 ms  14.311 ms
12  bls-gw.customer.alter.net (152.179.53.66)  15.437 ms  16.771 ms  16.918 ms
13  146.142.7.129 (146.142.7.129)  17.427 ms  17.338 ms  17.421 ms
14  146.142.7.96 (146.142.7.96)  20.523 ms  20.475 ms  20.421 ms
15  146.142.7.97 (146.142.7.97)  21.510 ms  21.471 ms  21.409 ms
16  146.142.7.83 (146.142.7.83)  18.520 ms  18.453 ms  18.359 ms
17  146.142.7.142 (146.142.7.142)  21.138 ms  21.098 ms  19.436 ms
18  146.142.7.93 (146.142.7.93)  43.152 ms  43.061 ms  43.062 ms
19  146.142.7.66 (146.142.7.66)  133.226 ms  133.169 ms  133.147 ms
20  146.142.7.112 (146.142.7.112)  130.701 ms  130.606 ms  130.737 ms
21  * * *
22  146.142.7.68 (146.142.7.68)  135.039 ms  134.986 ms  134.897 ms
23  146.142.7.132 (146.142.7.132)  127.341 ms  127.256 ms  127.221 ms
24  146.142.7.87 (146.142.7.87)  126.358 ms * *
25  146.142.7.113 (146.142.7.113)  154.693 ms  156.353 ms  156.385 ms

That's one convoluted route to stay in the same /24!  I'd have a chat with your network admins and see what's up--this doesn't look normal.

Question for you: how'd you uncover the issue?  Do any DNS records point to 146.142.7.113?  There's no reverse record for it that I can see.

John

On Sat, Sep 17, 2016 at 11:51 AM, Bhangui, Sandeep - BLS CTR <Bhangui.Sandeep at bls.gov> wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this forum can provide some advice/suggestion as I am trying to figure out what is going on.
>
> Our organization BLS owns ( registered with the registrar )  the network address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to "http://146.142.7.113"   it gets redirected to a site in UK called "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.....does not look like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160917/7bb185d9/attachment.html>


More information about the bind-users mailing list