That's pretty scary that their DC was compromised like that! makes you wonder what else "they" got to
________________________________ From: Cameron Cooper [mailto:[email protected]] Sent: Friday, January 22, 2010 10:20 AM To: NT System Admin Issues Subject: RE: Website Issue Sorry... no this was just on their DC. _____________________________ Cameron Cooper System Administrator | CompTIA A+ Certified Aurico Reports, Inc Phone: 847-890-4021 | Fax: 847-255-1896 [email protected] | www.aurico.com From: Andrew Levicki [mailto:[email protected]] Sent: Friday, January 22, 2010 10:10 AM To: NT System Admin Issues Subject: Re: Website Issue On ALL the client computers? Wow. 2010/1/22 Cameron Cooper <[email protected]> Looks like it was DNS poisoning. He looked in the host file and there were a bunch of entries in there that was causing the issue. Once removed, they were no longer being redirected to the p0rn site. _____________________________ Cameron Cooper System Administrator | CompTIA A+ Certified Aurico Reports, Inc Phone: 847-890-4021 | Fax: 847-255-1896 [email protected] | www.aurico.com From: Andrew Levicki [mailto:[email protected]] Sent: Thursday, January 21, 2010 1:17 PM To: NT System Admin Issues Subject: Re: Website Issue And lastly check that the router is configured with the correct forwarders. Over and out. 2010/1/21 Andrew Levicki <[email protected]> Yes, good point, check the DNS clients' HOSTS file, which is located in: %SYSTEMROOT%\System32\drivers\etc Look for a rogue entry for the DNS name of the company website. Good luck. Andrew 2010/1/21 Andrew Levicki <[email protected]> Hi Cameron, Have you checked that the DNS clients are definitely configured with the correct DNS servers in their network configuration? Assuming that you have them pointing to internal DNS servers, you should then check that they are configured with the correct forwarders. Having done that, you should launch nslookup on those DNS servers and checked that the DNS name for the company website resolve correctly. Finally you should run ipconfig/flushdns on the DNS clients. Please report back how you get on. Kind regards, Andrew 2010/1/21 Cameron Cooper <[email protected]> They have run their AV and run malwarebytes on all the servers and neither found anything. _____________________________ Cameron Cooper System Administrator | CompTIA A+ Certified Aurico Reports, Inc Phone: 847-890-4021 | Fax: 847-255-1896 [email protected] | www.aurico.com -----Original Message----- From: Terry Dickson [mailto:[email protected]] Sent: Thursday, January 21, 2010 12:52 PM To: NT System Admin Issues Subject: RE: Website Issue Have they done an nslookup on the dns servers to see if they are getting the correct dns entries? Have they been checked for malware that changed the hosts file? -----Original Message----- From: Cameron Cooper [mailto:[email protected]] Sent: Thursday, January 21, 2010 12:42 PM To: NT System Admin Issues Subject: Website Issue A colleague's company is having issues accessing their own website, which is hosted offsite. Internally when they try to access it, it goes to a porn site. When anyone externally accesses the site, it goes right to their website. He's cleared the DNS cache on all DNS servers and had the router's DNS flushed as well. Their setup involves a an ISA server that acts as their proxy server. Ideas? _____________________________ Cameron Cooper System Administrator | CompTIA A+ Certified Aurico Reports, Inc Phone: 847-890-4021 | Fax: 847-255-1896 [email protected] <mailto:[email protected]> | www.aurico.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -- Kind regards, Andrew Levicki MCITP MCSE CCNA [email protected] www.andrewlevicki.eu -- Kind regards, Andrew Levicki MCITP MCSE CCNA [email protected] www.andrewlevicki.eu -- Kind regards, Andrew Levicki MCITP MCSE CCNA [email protected] www.andrewlevicki.eu -- Kind regards, Andrew Levicki MCITP MCSE CCNA [email protected] www.andrewlevicki.eu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
