Organization IP address is getting redirected to a website which does not belong to the organization.

Alberto ---- alcol at hotmail.com
Sat Sep 17 18:19:19 UTC 2016 

big security problem if you have an uncontrolled and not authorized web server on that ip and that is not firewalled


to find it out check arp tables on switches to follow switch port where it isphisical linked

[cid:bdc2d58d-9e89-4c5a-8ac8-8232cd9e10a8]





https://www.linkedin.com/in/alberto-colosi


________________________________
From: Bhangui, Sandeep - BLS CTR <Bhangui.Sandeep at bls.gov>
Sent: Saturday, September 17, 2016 7:52 PM
To: Alberto ----; bind-users at lists.isc.org
Subject: RE: Organization IP address is getting redirected to a website which does not belong to the organization.


Understood and I am sure they are aware of those protocols.



We do not have a webserver which is hosted on 146.142.7.113 that I can categorically say as that falls under our team.



Network folks are having a tough time even finding an active device with that IP on the network.



Thanks

Sandeep





From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Alberto ----
Sent: Saturday, September 17, 2016 12:52 PM
To: bind-users at lists.isc.org
Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization.



hmmmmmmmmmmm if they manage firewalls , they should be aware of TCP/IP foundamentals and HTTP working and much more



the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then 146.142.7.113 say item moved / redirect to http://us.watcheezy.com/



you have to check web server configuration or HTML / PHP / ........ pages on root link from the web server 146.142.7.113



when the browser get a REDIRECT , is the browser on client machine that perform a new GET statement on the new address



is normal that firewall team see nothing else if not a packet capture and analisys is performed









________________________________

From: bind-users <bind-users-bounces at lists.isc.org<mailto:bind-users-bounces at lists.isc.org>> on behalf of Bhangui, Sandeep - BLS CTR <Bhangui.Sandeep at bls.gov<mailto:Bhangui.Sandeep at bls.gov>>
Sent: Saturday, September 17, 2016 6:43 PM
To: Lyle; bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Subject: RE: Organization IP address is getting redirected to a website which does not belong to the organization.



Thanks

We suspected that but network folks are not able to find any device with that IP on the BLS network.

Also it seems firewall folks claim they looked for the traffic coming in the BLS network and if the redirect is happening from a host which is 146.142.7.113 they should have seen some traffic correct and apparently we do not see any traffic.

Thanks
Sandeep


-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Lyle
Sent: Saturday, September 17, 2016 12:01 PM
To: bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization.

On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this forum can provide some advice/suggestion as I am trying to figure out what is going on.
>
> Our organization BLS owns ( registered with the registrar )  the network address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to "http://146.142.7.113"   it gets redirected to a site in UK called "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.....does not look like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
There is a host listening on 146.142.7.113 tcp port 80. It's issuing a
302 redirect to http://www.watcheezy.com at ip address 37.187.76.95.
That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95.

Lyle Giese
LCR Computer Services, Inc.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160917/79296164/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedImage.png
Type: image/png
Size: 10699 bytes
Desc: pastedImage.png
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160917/79296164/attachment-0001.png>

More information about the bind-users mailing list