<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Latha;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks & Understood and that is what I had thought.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I am trying to help BLS folks to resolve the situation as http requests to that IP from the Internet which is registered with BLS is going to a site which does
not belong to us.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Sandeep<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> bind-users [mailto:bind-users-bounces@lists.isc.org]
<b>On Behalf Of </b>Alberto ----<br>
<b>Sent:</b> Saturday, September 17, 2016 12:43 PM<br>
<b>Cc:</b> bind-users@lists.isc.org <bind-users@isc.org><br>
<b>Subject:</b> Re: Organization IP address is getting redirected to a website which does not belong to the organization.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div id="divtagdefaultwrapper">
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">A security scan is only a probe and does not change in any way a web server content or configuration.<o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">performing a
<a href="http://x1.x2.x3.x4" id="LPlnk508837">http://x1.x2.x3.x4</a> statement where x... are the 4 IP octect does not involve DNS in any way<o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">IP is loaded inside IEEE MAC "train" but work with dottet IPv4 /v6 addresses and not with DNS names.<o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">When you ask a NAME (not an IP) is resolved from any DNS configured inside your TCP/IP configuration but if you ask a direct IP , DNS is totally jumped and is a DIRECT CALL<o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<div>
<div>
<div class="MsoNormal" align="center" style="text-align:center;background:white">
<span style="font-family:"Calibri",sans-serif;color:black">
<hr size="2" width="98%" align="center">
</span></div>
<div id="x_divRplyFwdMsg">
<p class="MsoNormal" style="background:white"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> bind-users <<a href="mailto:bind-users-bounces@lists.isc.org">bind-users-bounces@lists.isc.org</a>>
on behalf of Bhangui, Sandeep - BLS CTR <<a href="mailto:Bhangui.Sandeep@bls.gov">Bhangui.Sandeep@bls.gov</a>><br>
<b>Sent:</b> Saturday, September 17, 2016 6:33 PM<br>
<b>To:</b> John Miller<br>
<b>Cc:</b> <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<b>Subject:</b> RE: Organization IP address is getting redirected to a website which does not belong to the organization.</span><span style="font-family:"Calibri",sans-serif;color:black">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black">Thanks John<br>
<br>
Security Dept from BLS reported this to our team which manages the DNS and infrastructure. I think some scans run by them on the network may have caught this not sure though.<br>
<br>
And yes we do not have any record for that IP in our DNS for bls.gov zone.<br>
<br>
Sandeep<br>
<br>
<br>
<br>
-----Original Message-----<br>
From: John Miller [<a href="mailto:johnmill@brandeis.edu">mailto:johnmill@brandeis.edu</a>]
<br>
Sent: Saturday, September 17, 2016 12:14 PM<br>
To: Bhangui, Sandeep - BLS CTR <<a href="mailto:Bhangui.Sandeep@bls.gov">Bhangui.Sandeep@bls.gov</a>><br>
Cc: <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a> <<a href="mailto:bind-users@isc.org">bind-users@isc.org</a>><br>
Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization.<br>
<br>
Hi Sandeep,<br>
<br>
The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address and got:<br>
<br>
john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113...<br>
Connected to 146.142.7.113.<br>
Escape character is '^]'.<br>
GET / HTTP/1.1<br>
Host: 146.142.7.113<br>
<br>
HTTP/1.1 302 Found<br>
Date: Sat, 17 Sep 2016 16:30:46 GMT<br>
Server: Apache/2.2.22 (Ubuntu)<br>
X-Powered-By: PHP/5.4.9-4ubuntu2.3<br>
location: <a href="http://www.watcheezy.com/">http://www.watcheezy.com/</a><br>
Vary: Accept-Encoding<br>
Content-Length: 0<br>
Connection: close<br>
Content-Type: text/html<br>
<br>
Connection closed by foreign host.<br>
<br>
But something is definitely listening on that IP address. Could be a rogue device or some sort of routing issue. Here's a traceroute from the Brandeis network:<br>
<br>
traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets<br>
1 129.64.99.1 (129.64.99.1) 1.112 ms 1.127 ms 0.981 ms<br>
2 * * *<br>
3 * * *<br>
4 * * *<br>
5 te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1) 2.471 ms<br>
2.427 ms 2.375 ms<br>
6 be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13) 8.046 ms<br>
7.721 ms 7.546 ms<br>
7 be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106) 13.692 ms<br>
13.661 ms 13.665 ms<br>
8 be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106) 14.765 ms<br>
14.832 ms 14.701 ms<br>
9 verizon.iad02.atlas.cogentco.com (154.54.10.198) 13.629 ms<br>
204.148.79.53 (204.148.79.53) 12.886 ms 12.862 ms<br>
10 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.347 ms 0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207) 15.000 ms 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.297 ms<br>
11 GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21) 14.489 ms<br>
14.502 ms 14.311 ms<br>
12 bls-gw.customer.alter.net (152.179.53.66) 15.437 ms 16.771 ms 16.918 ms<br>
13 146.142.7.129 (146.142.7.129) 17.427 ms 17.338 ms 17.421 ms<br>
14 146.142.7.96 (146.142.7.96) 20.523 ms 20.475 ms 20.421 ms<br>
15 146.142.7.97 (146.142.7.97) 21.510 ms 21.471 ms 21.409 ms<br>
16 146.142.7.83 (146.142.7.83) 18.520 ms 18.453 ms 18.359 ms<br>
17 146.142.7.142 (146.142.7.142) 21.138 ms 21.098 ms 19.436 ms<br>
18 146.142.7.93 (146.142.7.93) 43.152 ms 43.061 ms 43.062 ms<br>
19 146.142.7.66 (146.142.7.66) 133.226 ms 133.169 ms 133.147 ms<br>
20 146.142.7.112 (146.142.7.112) 130.701 ms 130.606 ms 130.737 ms<br>
21 * * *<br>
22 146.142.7.68 (146.142.7.68) 135.039 ms 134.986 ms 134.897 ms<br>
23 146.142.7.132 (146.142.7.132) 127.341 ms 127.256 ms 127.221 ms<br>
24 146.142.7.87 (146.142.7.87) 126.358 ms * *<br>
25 146.142.7.113 (146.142.7.113) 154.693 ms 156.353 ms 156.385 ms<br>
<br>
That's one convoluted route to stay in the same /24! I'd have a chat with your network admins and see what's up--this doesn't look normal.<br>
<br>
Question for you: how'd you uncover the issue? Do any DNS records point to 146.142.7.113? There's no reverse record for it that I can see.<br>
<br>
John<br>
<br>
On Sat, Sep 17, 2016 at 11:51 AM, Bhangui, Sandeep - BLS CTR <<a href="mailto:Bhangui.Sandeep@bls.gov">Bhangui.Sandeep@bls.gov</a>> wrote:<br>
> Hi<br>
><br>
> Not exactly sure whether this is a DNS issue but hoping someone here on this forum can provide some advice/suggestion as I am trying to figure out what is going on.<br>
><br>
> Our organization BLS owns ( registered with the registrar ) the network address 146.142.xxx.xxx.<br>
><br>
> But if someone from the Internet [ outside of BLS network ) tries to go to "<a href="http://146.142.7.113">http://146.142.7.113</a>" it gets redirected to a site in UK called "us.watcheezy.com"<br>
><br>
> I have checked the DNS from the BLS side and we do not have any entry of any kind for the record 146.142.7.113 on our DNS.<br>
><br>
> I have also done DNS lookups for watcheezy.com and those seem to be good too with respect to IP and the NS and as to what those NS are reporting.<br>
><br>
> Can anyone throw some light on as to what is going on here.....does not look like a DNS issue to me but I could be wrong.<br>
><br>
> Thanks<br>
> Sandeep<br>
<br>
_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</body>
</html>