Re: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Alberto ---- 
big security problem if you have an uncontrolled and not authorized web server 
on that ip and that is not firewalled


to find it out check arp tables on switches to follow switch port where it 
isphisical linked

[cid:bdc2d58d-9e89-4c5a-8ac8-8232cd9e10a8]





https://www.linkedin.com/in/alberto-colosi



From: Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov>
Sent: Saturday, September 17, 2016 7:52 PM
To: Alberto ; bind-users@lists.isc.org
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.


Understood and I am sure they are aware of those protocols.



We do not have a webserver which is hosted on 146.142.7.113 that I can 
categorically say as that falls under our team.



Network folks are having a tough time even finding an active device with that 
IP on the network.



Thanks

Sandeep





From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alberto 

Sent: Saturday, September 17, 2016 12:52 PM
To: bind-users@lists.isc.org
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.



hmmm if they manage firewalls , they should be aware of TCP/IP 
foundamentals and HTTP working and much more



the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then 
146.142.7.113 say item moved / redirect to http://us.watcheezy.com/



you have to check web server configuration or HTML / PHP /  pages on 
root link from the web server 146.142.7.113



when the browser get a REDIRECT , is the browser on client machine that perform 
a new GET statement on the new address



is normal that firewall team see nothing else if not a packet capture and 
analisys is performed











From: bind-users 
<bind-users-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org>> on 
behalf of Bhangui, Sandeep - BLS CTR 
<bhangui.sand...@bls.gov<mailto:bhangui.sand...@bls.gov>>
Sent: Saturday, September 17, 2016 6:43 PM
To: Lyle; bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.



Thanks

We suspected that but network folks are not able to find any device with that 
IP on the BLS network.

Also it seems firewall folks claim they looked for the traffic coming in the 
BLS network and if the redirect is happening from a host which is 146.142.7.113 
they should have seen some traffic correct and apparently we do not see any 
traffic.

Thanks
Sandeep


-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle
Sent: Saturday, September 17, 2016 12:01 PM
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
There is a host listening on 146.142.7.113 tcp port 80. It's issuing a
302 redirect to http://www.watcheezy.com at ip address 37.187.76.95.
That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95.

Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailma

Re: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Reindl Harald 



Am 17.09.2016 um 19:52 schrieb Bhangui, Sandeep - BLS CTR:

Understood and I am sure they are aware of those protocols.

We do not have a webserver which is hosted on 146.142.7.113 that I can
categorically say as that falls under our team


uhm you do have - a Ubuntu machine

if it's not intended to be a webserver congratulations to the firewall 
team you are talking about when it's reachable on port 80 and nobody 
knows what's running there


[harry@srv-rhsoft:~]$ curl --head http://146.142.7.113/
HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 18:36:18 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Reindl Harald 



Am 17.09.2016 um 17:51 schrieb Bhangui, Sandeep - BLS CTR:

Our organization BLS owns ( registered with the registrar )  the network 
address 146.142.xxx.xxx.

But if someone  from the Internet [ outside of BLS network )  tries to go to 
"http://146.142.7.113;   it gets redirected to a site in UK called 
"us.watcheezy.com"


so this has *nothing* to do with DNS at all

* someone is calling a server on port 80 with it's *ip-address*
* on that machine listens a webserver on port 80
* that webserver sends a redirect header
* the client follows that redirect header

that's it - go to that machine and look what is redirecting and why it 
allows calling without a hostname at all (defualt mod_security rule 
swould forbid that)


but as said: that is not a DNS topic at all
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Bhangui, Sandeep - BLS CTR 
Understood and I am sure they are aware of those protocols.

We do not have a webserver which is hosted on 146.142.7.113 that I can 
categorically say as that falls under our team.

Network folks are having a tough time even finding an active device with that 
IP on the network.

Thanks
Sandeep


From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alberto 

Sent: Saturday, September 17, 2016 12:52 PM
To: bind-users@lists.isc.org
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.


hmmm if they manage firewalls , they should be aware of TCP/IP 
foundamentals and HTTP working and much more



the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then 
146.142.7.113 say item moved / redirect to http://us.watcheezy.com/



you have to check web server configuration or HTML / PHP /  pages on 
root link from the web server 146.142.7.113



when the browser get a REDIRECT , is the browser on client machine that perform 
a new GET statement on the new address



is normal that firewall team see nothing else if not a packet capture and 
analisys is performed








From: bind-users 
<bind-users-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org>> on 
behalf of Bhangui, Sandeep - BLS CTR 
<bhangui.sand...@bls.gov<mailto:bhangui.sand...@bls.gov>>
Sent: Saturday, September 17, 2016 6:43 PM
To: Lyle; bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Thanks

We suspected that but network folks are not able to find any device with that 
IP on the BLS network.

Also it seems firewall folks claim they looked for the traffic coming in the 
BLS network and if the redirect is happening from a host which is 146.142.7.113 
they should have seen some traffic correct and apparently we do not see any 
traffic.

Thanks
Sandeep


-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle
Sent: Saturday, September 17, 2016 12:01 PM
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
There is a host listening on 146.142.7.113 tcp port 80. It's issuing a
302 redirect to http://www.watcheezy.com at ip address 37.187.76.95.
That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95.

Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Alberto ---- 
hmmm if they manage firewalls , they should be aware of TCP/IP 
foundamentals and HTTP working and much more


the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then 
146.142.7.113 say item moved / redirect to http://us.watcheezy.com/


you have to check web server configuration or HTML / PHP /  pages on 
root link from the web server 146.142.7.113


when the browser get a REDIRECT , is the browser on client machine that perform 
a new GET statement on the new address


is normal that firewall team see nothing else if not a packet capture and 
analisys is performed





From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Bhangui, 
Sandeep - BLS CTR <bhangui.sand...@bls.gov>
Sent: Saturday, September 17, 2016 6:43 PM
To: Lyle; bind-users@lists.isc.org
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Thanks

We suspected that but network folks are not able to find any device with that 
IP on the BLS network.

Also it seems firewall folks claim they looked for the traffic coming in the 
BLS network and if the redirect is happening from a host which is 146.142.7.113 
they should have seen some traffic correct and apparently we do not see any 
traffic.

Thanks
Sandeep


-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle
Sent: Saturday, September 17, 2016 12:01 PM
To: bind-users@lists.isc.org
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
There is a host listening on 146.142.7.113 tcp port 80. It's issuing a
302 redirect to http://www.watcheezy.com at ip address 37.187.76.95.
That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95.

Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Bhangui, Sandeep - BLS CTR 
Thanks  & Understood and that is what I had thought.

I am trying to help BLS folks to resolve the situation as http requests to that 
IP from the Internet which is registered with BLS is going to a site which does 
not belong to us.

Sandeep



From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alberto 

Sent: Saturday, September 17, 2016 12:43 PM
Cc: bind-users@lists.isc.org <bind-us...@isc.org>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.


A security scan is only a probe and does not change in any way a web server 
content or configuration.



performing a http://x1.x2.x3.x4 statement where x... are the 4 IP octect does 
not involve DNS in any way



IP is loaded inside IEEE MAC "train" but work with dottet IPv4 /v6 addresses 
and not with DNS names.



When you ask a NAME (not an IP) is resolved from any DNS configured inside your 
TCP/IP configuration but if you ask a direct IP , DNS is totally jumped and is 
a DIRECT CALL






From: bind-users 
<bind-users-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org>> on 
behalf of Bhangui, Sandeep - BLS CTR 
<bhangui.sand...@bls.gov<mailto:bhangui.sand...@bls.gov>>
Sent: Saturday, September 17, 2016 6:33 PM
To: John Miller
Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Thanks John

Security Dept from BLS reported this to our team which manages the DNS and 
infrastructure.   I think some scans run by them on the network may have caught 
this not sure though.

And yes we do not have any record for that IP in our DNS for bls.gov zone.

Sandeep



-Original Message-
From: John Miller [mailto:johnm...@brandeis.edu]
Sent: Saturday, September 17, 2016 12:14 PM
To: Bhangui, Sandeep - BLS CTR 
<bhangui.sand...@bls.gov<mailto:bhangui.sand...@bls.gov>>
Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> 
<bind-us...@isc.org<mailto:bind-us...@isc.org>>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Hi Sandeep,

The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address 
and got:

john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113...
Connected to 146.142.7.113.
Escape character is '^]'.
GET / HTTP/1.1
Host: 146.142.7.113

HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 16:30:46 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

Connection closed by foreign host.

But something is definitely listening on that IP address.  Could be a rogue 
device or some sort of routing issue.  Here's a traceroute from the Brandeis 
network:

traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets
 1  129.64.99.1 (129.64.99.1)  1.112 ms  1.127 ms  0.981 ms
 2  * * *
 3  * * *
 4  * * *
 5  te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1)  2.471 ms
2.427 ms  2.375 ms
 6  be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13)  8.046 ms
7.721 ms  7.546 ms
 7  be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106)  13.692 ms
13.661 ms  13.665 ms
 8  be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106)  14.765 ms
14.832 ms  14.701 ms
 9  verizon.iad02.atlas.cogentco.com (154.54.10.198)  13.629 ms
204.148.79.53 (204.148.79.53)  12.886 ms  12.862 ms
10  0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195)  49.347 ms 
0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207)  15.000 ms 0.ae3.XT1.DCA5.ALTER.NET 
(140.222.225.195)  49.297 ms
11  GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21)  14.489 ms
14.502 ms  14.311 ms
12  bls-gw.customer.alter.net (152.179.53.66)  15.437 ms  16.771 ms  16.918 ms
13  146.142.7.129 (146.142.7.129)  17.427 ms  17.338 ms  17.421 ms
14  146.142.7.96 (146.142.7.96)  20.523 ms  20.475 ms  20.421 ms
15  146.142.7.97 (146.142.7.97)  21.510 ms  21.471 ms  21.409 ms
16  146.142.7.83 (146.142.7.83)  18.520 ms  18.453 ms  18.359 ms
17  146.142.7.142 (146.142.7.142)  21.138 ms  21.098 ms  19.436 ms
18  146.142.7.93 (146.142.7.93)  43.152 ms  43.061 ms  43.062 ms
19  146.142.7.66 (146.142.7.66)  133.226 ms  133.169 ms  133.147 ms
20  146.142.7.112 (146.142.7.112)  130.701 ms  130.606 ms  130.737 ms
21  * * *
22  146.142.7.68 (146.142.7.68)  135.039 ms  134.986 ms  134.897 ms
23  146.142.7.132 (146.142.7.132)  127.341 ms  127.256 ms  127.221 ms
24  146.142.7.87 (146.142.7.87)  126.358 ms * *
25  146.142.7.113 (146.142.7.113)  154.693 ms  156.353 ms  156.385 ms

That's one convoluted route to stay in the same /24!  I'd have a chat with your 
network admins and see what's up--this doesn't look normal.

Question for you: how'd you uncover the issue?  Do any DNS records point to

RE: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Bhangui, Sandeep - BLS CTR 
Thanks

We suspected that but network folks are not able to find any device with that 
IP on the BLS network.

Also it seems firewall folks claim they looked for the traffic coming in the 
BLS network and if the redirect is happening from a host which is 146.142.7.113 
they should have seen some traffic correct and apparently we do not see any 
traffic.

Thanks
Sandeep


-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle
Sent: Saturday, September 17, 2016 12:01 PM
To: bind-users@lists.isc.org
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
There is a host listening on 146.142.7.113 tcp port 80. It's issuing a
302 redirect to http://www.watcheezy.com at ip address 37.187.76.95.  
That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95.

Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Alberto ---- 
A security scan is only a probe and does not change in any way a web server 
content or configuration.


performing a http://x1.x2.x3.x4 statement where x... are the 4 IP octect does 
not involve DNS in any way


IP is loaded inside IEEE MAC "train" but work with dottet IPv4 /v6 addresses 
and not with DNS names.


When you ask a NAME (not an IP) is resolved from any DNS configured inside your 
TCP/IP configuration but if you ask a direct IP , DNS is totally jumped and is 
a DIRECT CALL





From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Bhangui, 
Sandeep - BLS CTR <bhangui.sand...@bls.gov>
Sent: Saturday, September 17, 2016 6:33 PM
To: John Miller
Cc: bind-users@lists.isc.org
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Thanks John

Security Dept from BLS reported this to our team which manages the DNS and 
infrastructure.   I think some scans run by them on the network may have caught 
this not sure though.

And yes we do not have any record for that IP in our DNS for bls.gov zone.

Sandeep



-Original Message-
From: John Miller [mailto:johnm...@brandeis.edu]
Sent: Saturday, September 17, 2016 12:14 PM
To: Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov>
Cc: bind-users@lists.isc.org <bind-us...@isc.org>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Hi Sandeep,

The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address 
and got:

john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113...
Connected to 146.142.7.113.
Escape character is '^]'.
GET / HTTP/1.1
Host: 146.142.7.113

HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 16:30:46 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

Connection closed by foreign host.

But something is definitely listening on that IP address.  Could be a rogue 
device or some sort of routing issue.  Here's a traceroute from the Brandeis 
network:

traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets
 1  129.64.99.1 (129.64.99.1)  1.112 ms  1.127 ms  0.981 ms
 2  * * *
 3  * * *
 4  * * *
 5  te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1)  2.471 ms
2.427 ms  2.375 ms
 6  be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13)  8.046 ms
7.721 ms  7.546 ms
 7  be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106)  13.692 ms
13.661 ms  13.665 ms
 8  be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106)  14.765 ms
14.832 ms  14.701 ms
 9  verizon.iad02.atlas.cogentco.com (154.54.10.198)  13.629 ms
204.148.79.53 (204.148.79.53)  12.886 ms  12.862 ms
10  0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195)  49.347 ms 
0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207)  15.000 ms 0.ae3.XT1.DCA5.ALTER.NET 
(140.222.225.195)  49.297 ms
11  GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21)  14.489 ms
14.502 ms  14.311 ms
12  bls-gw.customer.alter.net (152.179.53.66)  15.437 ms  16.771 ms  16.918 ms
13  146.142.7.129 (146.142.7.129)  17.427 ms  17.338 ms  17.421 ms
14  146.142.7.96 (146.142.7.96)  20.523 ms  20.475 ms  20.421 ms
15  146.142.7.97 (146.142.7.97)  21.510 ms  21.471 ms  21.409 ms
16  146.142.7.83 (146.142.7.83)  18.520 ms  18.453 ms  18.359 ms
17  146.142.7.142 (146.142.7.142)  21.138 ms  21.098 ms  19.436 ms
18  146.142.7.93 (146.142.7.93)  43.152 ms  43.061 ms  43.062 ms
19  146.142.7.66 (146.142.7.66)  133.226 ms  133.169 ms  133.147 ms
20  146.142.7.112 (146.142.7.112)  130.701 ms  130.606 ms  130.737 ms
21  * * *
22  146.142.7.68 (146.142.7.68)  135.039 ms  134.986 ms  134.897 ms
23  146.142.7.132 (146.142.7.132)  127.341 ms  127.256 ms  127.221 ms
24  146.142.7.87 (146.142.7.87)  126.358 ms * *
25  146.142.7.113 (146.142.7.113)  154.693 ms  156.353 ms  156.385 ms

That's one convoluted route to stay in the same /24!  I'd have a chat with your 
network admins and see what's up--this doesn't look normal.

Question for you: how'd you uncover the issue?  Do any DNS records point to 
146.142.7.113?  There's no reverse record for it that I can see.

John

On Sat, Sep 17, 2016 at 11:51 AM, Bhangui, Sandeep - BLS CTR 
<bhangui.sand...@bls.gov> wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the

RE: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Bhangui, Sandeep - BLS CTR 

-Original Message-
From: Mukund Sivaraman [mailto:m...@isc.org] 
Sent: Saturday, September 17, 2016 12:01 PM
To: Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov>
Cc: 'bind-users@lists.isc.org' <bind-us...@isc.org>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

On Sat, Sep 17, 2016 at 03:51:00PM +, Bhangui, Sandeep - BLS CTR wrote:
> Hi
> 
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
> 
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
> 
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com" 
> 
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS. 
> 
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
> 
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.


[muks@jurassic ~]$ wget --debug http://146.142.7.113 DEBUG output created by 
Wget 1.18 on linux-gnu.

Reading HSTS entries from /home/muks/.wget-hsts URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2016-09-17 21:28:13--  http://146.142.7.113/ Connecting to 
146.142.7.113:80... connected.
Created socket 3.
Releasing 0x564b513bd220 (new refcount 0).
Deleting unused 0x564b513bd220.

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 146.142.7.113
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 16:26:06 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html


It is a HTTP redirect (see the location: header above). Check the configuration 
of the HTTP server (webserver) that's serving for this IP address.


I think you are referring to www.watcheezy.com  when you say check the 
configuration of the HTTP server.if that is the case that server is not 
ours I believe this site is from UK do not even know where the server is 
actually hosted.

If apologize if I have not understood your response correctly.

Sandeep




Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Bhangui, Sandeep - BLS CTR 
Thanks John

Security Dept from BLS reported this to our team which manages the DNS and 
infrastructure.   I think some scans run by them on the network may have caught 
this not sure though.

And yes we do not have any record for that IP in our DNS for bls.gov zone.

Sandeep



-Original Message-
From: John Miller [mailto:johnm...@brandeis.edu] 
Sent: Saturday, September 17, 2016 12:14 PM
To: Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov>
Cc: bind-users@lists.isc.org <bind-us...@isc.org>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Hi Sandeep,

The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address 
and got:

john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113...
Connected to 146.142.7.113.
Escape character is '^]'.
GET / HTTP/1.1
Host: 146.142.7.113

HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 16:30:46 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

Connection closed by foreign host.

But something is definitely listening on that IP address.  Could be a rogue 
device or some sort of routing issue.  Here's a traceroute from the Brandeis 
network:

traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets
 1  129.64.99.1 (129.64.99.1)  1.112 ms  1.127 ms  0.981 ms
 2  * * *
 3  * * *
 4  * * *
 5  te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1)  2.471 ms
2.427 ms  2.375 ms
 6  be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13)  8.046 ms
7.721 ms  7.546 ms
 7  be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106)  13.692 ms
13.661 ms  13.665 ms
 8  be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106)  14.765 ms
14.832 ms  14.701 ms
 9  verizon.iad02.atlas.cogentco.com (154.54.10.198)  13.629 ms
204.148.79.53 (204.148.79.53)  12.886 ms  12.862 ms
10  0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195)  49.347 ms 
0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207)  15.000 ms 0.ae3.XT1.DCA5.ALTER.NET 
(140.222.225.195)  49.297 ms
11  GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21)  14.489 ms
14.502 ms  14.311 ms
12  bls-gw.customer.alter.net (152.179.53.66)  15.437 ms  16.771 ms  16.918 ms
13  146.142.7.129 (146.142.7.129)  17.427 ms  17.338 ms  17.421 ms
14  146.142.7.96 (146.142.7.96)  20.523 ms  20.475 ms  20.421 ms
15  146.142.7.97 (146.142.7.97)  21.510 ms  21.471 ms  21.409 ms
16  146.142.7.83 (146.142.7.83)  18.520 ms  18.453 ms  18.359 ms
17  146.142.7.142 (146.142.7.142)  21.138 ms  21.098 ms  19.436 ms
18  146.142.7.93 (146.142.7.93)  43.152 ms  43.061 ms  43.062 ms
19  146.142.7.66 (146.142.7.66)  133.226 ms  133.169 ms  133.147 ms
20  146.142.7.112 (146.142.7.112)  130.701 ms  130.606 ms  130.737 ms
21  * * *
22  146.142.7.68 (146.142.7.68)  135.039 ms  134.986 ms  134.897 ms
23  146.142.7.132 (146.142.7.132)  127.341 ms  127.256 ms  127.221 ms
24  146.142.7.87 (146.142.7.87)  126.358 ms * *
25  146.142.7.113 (146.142.7.113)  154.693 ms  156.353 ms  156.385 ms

That's one convoluted route to stay in the same /24!  I'd have a chat with your 
network admins and see what's up--this doesn't look normal.

Question for you: how'd you uncover the issue?  Do any DNS records point to 
146.142.7.113?  There's no reverse record for it that I can see.

John

On Sat, Sep 17, 2016 at 11:51 AM, Bhangui, Sandeep - BLS CTR 
<bhangui.sand...@bls.gov> wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread John Miller 
Hi Sandeep,

The redirect part isn't a DNS issue: I telnetted to port 80 on the IP
address and got:

john@millspad:~$ telnet 146.142.7.113 80
Trying 146.142.7.113...
Connected to 146.142.7.113.
Escape character is '^]'.
GET / HTTP/1.1
Host: 146.142.7.113

HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 16:30:46 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

Connection closed by foreign host.

But something is definitely listening on that IP address.  Could be a
rogue device or some sort of routing issue.  Here's a traceroute from
the Brandeis network:

traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets
 1  129.64.99.1 (129.64.99.1)  1.112 ms  1.127 ms  0.981 ms
 2  * * *
 3  * * *
 4  * * *
 5  te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1)  2.471 ms
2.427 ms  2.375 ms
 6  be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13)  8.046 ms
7.721 ms  7.546 ms
 7  be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106)  13.692 ms
13.661 ms  13.665 ms
 8  be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106)  14.765 ms
14.832 ms  14.701 ms
 9  verizon.iad02.atlas.cogentco.com (154.54.10.198)  13.629 ms
204.148.79.53 (204.148.79.53)  12.886 ms  12.862 ms
10  0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195)  49.347 ms
0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207)  15.000 ms
0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195)  49.297 ms
11  GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21)  14.489 ms
14.502 ms  14.311 ms
12  bls-gw.customer.alter.net (152.179.53.66)  15.437 ms  16.771 ms  16.918 ms
13  146.142.7.129 (146.142.7.129)  17.427 ms  17.338 ms  17.421 ms
14  146.142.7.96 (146.142.7.96)  20.523 ms  20.475 ms  20.421 ms
15  146.142.7.97 (146.142.7.97)  21.510 ms  21.471 ms  21.409 ms
16  146.142.7.83 (146.142.7.83)  18.520 ms  18.453 ms  18.359 ms
17  146.142.7.142 (146.142.7.142)  21.138 ms  21.098 ms  19.436 ms
18  146.142.7.93 (146.142.7.93)  43.152 ms  43.061 ms  43.062 ms
19  146.142.7.66 (146.142.7.66)  133.226 ms  133.169 ms  133.147 ms
20  146.142.7.112 (146.142.7.112)  130.701 ms  130.606 ms  130.737 ms
21  * * *
22  146.142.7.68 (146.142.7.68)  135.039 ms  134.986 ms  134.897 ms
23  146.142.7.132 (146.142.7.132)  127.341 ms  127.256 ms  127.221 ms
24  146.142.7.87 (146.142.7.87)  126.358 ms * *
25  146.142.7.113 (146.142.7.113)  154.693 ms  156.353 ms  156.385 ms

That's one convoluted route to stay in the same /24!  I'd have a chat
with your network admins and see what's up--this doesn't look normal.

Question for you: how'd you uncover the issue?  Do any DNS records
point to 146.142.7.113?  There's no reverse record for it that I can
see.

John

On Sat, Sep 17, 2016 at 11:51 AM, Bhangui, Sandeep - BLS CTR
 wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Mukund Sivaraman 
On Sat, Sep 17, 2016 at 03:51:00PM +, Bhangui, Sandeep - BLS CTR wrote:
> Hi
> 
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
> 
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
> 
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com" 
> 
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS. 
> 
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
> 
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.


[muks@jurassic ~]$ wget --debug http://146.142.7.113
DEBUG output created by Wget 1.18 on linux-gnu.

Reading HSTS entries from /home/muks/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2016-09-17 21:28:13--  http://146.142.7.113/
Connecting to 146.142.7.113:80... connected.
Created socket 3.
Releasing 0x564b513bd220 (new refcount 0).
Deleting unused 0x564b513bd220.

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 146.142.7.113
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 16:26:06 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html


It is a HTTP redirect (see the location: header above). Check the
configuration of the HTTP server (webserver) that's serving for this IP
address.

Mukund


signature.asc
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Organization IP address is getting redirected to a website which does not belong to the organization.

2016-09-17 Thread Lyle 

On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote:

Hi

Not exactly sure whether this is a DNS issue but hoping someone here on this 
forum can provide some advice/suggestion as I am trying to figure out what is 
going on.

Our organization BLS owns ( registered with the registrar )  the network 
address 146.142.xxx.xxx.

But if someone  from the Internet [ outside of BLS network )  tries to go to 
"http://146.142.7.113;   it gets redirected to a site in UK called 
"us.watcheezy.com"

I have checked the DNS from the BLS  side and we do not have any entry of  any 
kind for  the record  146.142.7.113 on our DNS.

I have also done DNS lookups for watcheezy.com and those seem to be good too 
with respect to IP and the NS and as to what those NS are reporting.

Can anyone throw some light on as to what is going on here.does not look 
like a DNS issue to me but I could be wrong.

Thanks
Sandeep

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
There is a host listening on 146.142.7.113 tcp port 80. It's issuing a 
302 redirect to http://www.watcheezy.com at ip address 37.187.76.95.  
That host is issuing a 301 redirect to http://us.watcheezy.com at 
37.187.76.95.


Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users