Organization IP address is getting redirected to a website which does not belong to the organization.

Sat Sep 17 16:51:50 UTC 2016

hmmmmmmmmmmm if they manage firewalls , they should be aware of TCP/IP foundamentals and HTTP working and much more

the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then 146.142.7.113 say item moved / redirect to http://us.watcheezy.com/

you have to check web server configuration or HTML / PHP / ........ pages on root link from the web server 146.142.7.113

when the browser get a REDIRECT , is the browser on client machine that perform a new GET statement on the new address

is normal that firewall team see nothing else if not a packet capture and analisys is performed

________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Bhangui, Sandeep - BLS CTR <Bhangui.Sandeep at bls.gov>
Sent: Saturday, September 17, 2016 6:43 PM
To: Lyle; bind-users at lists.isc.org
Subject: RE: Organization IP address is getting redirected to a website which does not belong to the organization.

Thanks

We suspected that but network folks are not able to find any device with that IP on the BLS network.

Also it seems firewall folks claim they looked for the traffic coming in the BLS network and if the redirect is happening from a host which is 146.142.7.113 they should have seen some traffic correct and apparently we do not see any traffic.

Thanks
Sandeep

-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Lyle
Sent: Saturday, September 17, 2016 12:01 PM
To: bind-users at lists.isc.org
Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization.

On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this forum can provide some advice/suggestion as I am trying to figure out what is going on.
>
> Our organization BLS owns ( registered with the registrar )  the network address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to "http://146.142.7.113"   it gets redirected to a site in UK called "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.....does not look like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
There is a host listening on 146.142.7.113 tcp port 80. It's issuing a
302 redirect to http://www.watcheezy.com at ip address 37.187.76.95.
That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95.

Lyle Giese
LCR Computer Services, Inc.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160917/d83822af/attachment-0001.html>