Re: Organization IP address is getting redirected to a website which does not belong to the organization.
big security problem if you have an uncontrolled and not authorized web server on that ip and that is not firewalled to find it out check arp tables on switches to follow switch port where it isphisical linked [cid:bdc2d58d-9e89-4c5a-8ac8-8232cd9e10a8] https://www.linkedin.com/in/alberto-colosi From: Bhangui, Sandeep - BLS CTR Sent: Saturday, September 17, 2016 7:52 PM To: Alberto ; bind-users@lists.isc.org Subject: RE: Organization IP address is getting redirected to a website which does not belong to the organization. Understood and I am sure they are aware of those protocols. We do not have a webserver which is hosted on 146.142.7.113 that I can categorically say as that falls under our team. Network folks are having a tough time even finding an active device with that IP on the network. Thanks Sandeep From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alberto Sent: Saturday, September 17, 2016 12:52 PM To: bind-users@lists.isc.org Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. hmmm if they manage firewalls , they should be aware of TCP/IP foundamentals and HTTP working and much more the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then 146.142.7.113 say item moved / redirect to http://us.watcheezy.com/ you have to check web server configuration or HTML / PHP / pages on root link from the web server 146.142.7.113 when the browser get a REDIRECT , is the browser on client machine that perform a new GET statement on the new address is normal that firewall team see nothing else if not a packet capture and analisys is performed From: bind-users mailto:bind-users-boun...@lists.isc.org>> on behalf of Bhangui, Sandeep - BLS CTR mailto:bhangui.sand...@bls.gov>> Sent: Saturday, September 17, 2016 6:43 PM To: Lyle; bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: RE: Organization IP address is getting redirected to a website which does not belong to the organization. Thanks We suspected that but network folks are not able to find any device with that IP on the BLS network. Also it seems firewall folks claim they looked for the traffic coming in the BLS network and if the redirect is happening from a host which is 146.142.7.113 they should have seen some traffic correct and apparently we do not see any traffic. Thanks Sandeep -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle Sent: Saturday, September 17, 2016 12:01 PM To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns ( registered with the registrar ) the network > address 146.142.xxx.xxx. > > But if someone from the Internet [ outside of BLS network ) tries to go to > "http://146.142.7.113"; it gets redirected to a site in UK called > "us.watcheezy.com" > > I have checked the DNS from the BLS side and we do not have any entry of > any kind for the record 146.142.7.113 on our DNS. > > I have also done DNS lookups for watcheezy.com and those seem to be good too > with respect to IP and the NS and as to what those NS are reporting. > > Can anyone throw some light on as to what is going on here.does not look > like a DNS issue to me but I could be wrong. > > Thanks > Sandeep > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> > https://lists.isc.org/mailman/listinfo/bind-users There is a host listening on 146.142.7.113 tcp port 80. It's issuing a 302 redirect to http://www.watcheezy.com at ip address 37.187.76.95. That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.
Re: Organization IP address is getting redirected to a website which does not belong to the organization.
Am 17.09.2016 um 19:52 schrieb Bhangui, Sandeep - BLS CTR: Understood and I am sure they are aware of those protocols. We do not have a webserver which is hosted on 146.142.7.113 that I can categorically say as that falls under our team uhm you do have - a Ubuntu machine if it's not intended to be a webserver congratulations to the firewall team you are talking about when it's reachable on port 80 and nobody knows what's running there [harry@srv-rhsoft:~]$ curl --head http://146.142.7.113/ HTTP/1.1 302 Found Date: Sat, 17 Sep 2016 18:36:18 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.4.9-4ubuntu2.3 location: http://www.watcheezy.com/ Vary: Accept-Encoding Connection: close Content-Type: text/html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Organization IP address is getting redirected to a website which does not belong to the organization.
Am 17.09.2016 um 17:51 schrieb Bhangui, Sandeep - BLS CTR: Our organization BLS owns ( registered with the registrar ) the network address 146.142.xxx.xxx. But if someone from the Internet [ outside of BLS network ) tries to go to "http://146.142.7.113"; it gets redirected to a site in UK called "us.watcheezy.com" so this has *nothing* to do with DNS at all * someone is calling a server on port 80 with it's *ip-address* * on that machine listens a webserver on port 80 * that webserver sends a redirect header * the client follows that redirect header that's it - go to that machine and look what is redirecting and why it allows calling without a hostname at all (defualt mod_security rule swould forbid that) but as said: that is not a DNS topic at all ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Organization IP address is getting redirected to a website which does not belong to the organization.
Understood and I am sure they are aware of those protocols. We do not have a webserver which is hosted on 146.142.7.113 that I can categorically say as that falls under our team. Network folks are having a tough time even finding an active device with that IP on the network. Thanks Sandeep From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alberto Sent: Saturday, September 17, 2016 12:52 PM To: bind-users@lists.isc.org Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. hmmm if they manage firewalls , they should be aware of TCP/IP foundamentals and HTTP working and much more the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then 146.142.7.113 say item moved / redirect to http://us.watcheezy.com/ you have to check web server configuration or HTML / PHP / pages on root link from the web server 146.142.7.113 when the browser get a REDIRECT , is the browser on client machine that perform a new GET statement on the new address is normal that firewall team see nothing else if not a packet capture and analisys is performed From: bind-users mailto:bind-users-boun...@lists.isc.org>> on behalf of Bhangui, Sandeep - BLS CTR mailto:bhangui.sand...@bls.gov>> Sent: Saturday, September 17, 2016 6:43 PM To: Lyle; bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: RE: Organization IP address is getting redirected to a website which does not belong to the organization. Thanks We suspected that but network folks are not able to find any device with that IP on the BLS network. Also it seems firewall folks claim they looked for the traffic coming in the BLS network and if the redirect is happening from a host which is 146.142.7.113 they should have seen some traffic correct and apparently we do not see any traffic. Thanks Sandeep -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle Sent: Saturday, September 17, 2016 12:01 PM To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns ( registered with the registrar ) the network > address 146.142.xxx.xxx. > > But if someone from the Internet [ outside of BLS network ) tries to go to > "http://146.142.7.113"; it gets redirected to a site in UK called > "us.watcheezy.com" > > I have checked the DNS from the BLS side and we do not have any entry of > any kind for the record 146.142.7.113 on our DNS. > > I have also done DNS lookups for watcheezy.com and those seem to be good too > with respect to IP and the NS and as to what those NS are reporting. > > Can anyone throw some light on as to what is going on here.does not look > like a DNS issue to me but I could be wrong. > > Thanks > Sandeep > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> > https://lists.isc.org/mailman/listinfo/bind-users There is a host listening on 146.142.7.113 tcp port 80. It's issuing a 302 redirect to http://www.watcheezy.com at ip address 37.187.76.95. That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Organization IP address is getting redirected to a website which does not belong to the organization.
hmmm if they manage firewalls , they should be aware of TCP/IP foundamentals and HTTP working and much more the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then 146.142.7.113 say item moved / redirect to http://us.watcheezy.com/ you have to check web server configuration or HTML / PHP / pages on root link from the web server 146.142.7.113 when the browser get a REDIRECT , is the browser on client machine that perform a new GET statement on the new address is normal that firewall team see nothing else if not a packet capture and analisys is performed From: bind-users on behalf of Bhangui, Sandeep - BLS CTR Sent: Saturday, September 17, 2016 6:43 PM To: Lyle; bind-users@lists.isc.org Subject: RE: Organization IP address is getting redirected to a website which does not belong to the organization. Thanks We suspected that but network folks are not able to find any device with that IP on the BLS network. Also it seems firewall folks claim they looked for the traffic coming in the BLS network and if the redirect is happening from a host which is 146.142.7.113 they should have seen some traffic correct and apparently we do not see any traffic. Thanks Sandeep -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle Sent: Saturday, September 17, 2016 12:01 PM To: bind-users@lists.isc.org Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns ( registered with the registrar ) the network > address 146.142.xxx.xxx. > > But if someone from the Internet [ outside of BLS network ) tries to go to > "http://146.142.7.113"; it gets redirected to a site in UK called > "us.watcheezy.com" > > I have checked the DNS from the BLS side and we do not have any entry of > any kind for the record 146.142.7.113 on our DNS. > > I have also done DNS lookups for watcheezy.com and those seem to be good too > with respect to IP and the NS and as to what those NS are reporting. > > Can anyone throw some light on as to what is going on here.does not look > like a DNS issue to me but I could be wrong. > > Thanks > Sandeep > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users There is a host listening on 146.142.7.113 tcp port 80. It's issuing a 302 redirect to http://www.watcheezy.com at ip address 37.187.76.95. That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Organization IP address is getting redirected to a website which does not belong to the organization.
Thanks & Understood and that is what I had thought. I am trying to help BLS folks to resolve the situation as http requests to that IP from the Internet which is registered with BLS is going to a site which does not belong to us. Sandeep From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alberto Sent: Saturday, September 17, 2016 12:43 PM Cc: bind-users@lists.isc.org Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. A security scan is only a probe and does not change in any way a web server content or configuration. performing a http://x1.x2.x3.x4 statement where x... are the 4 IP octect does not involve DNS in any way IP is loaded inside IEEE MAC "train" but work with dottet IPv4 /v6 addresses and not with DNS names. When you ask a NAME (not an IP) is resolved from any DNS configured inside your TCP/IP configuration but if you ask a direct IP , DNS is totally jumped and is a DIRECT CALL From: bind-users mailto:bind-users-boun...@lists.isc.org>> on behalf of Bhangui, Sandeep - BLS CTR mailto:bhangui.sand...@bls.gov>> Sent: Saturday, September 17, 2016 6:33 PM To: John Miller Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: RE: Organization IP address is getting redirected to a website which does not belong to the organization. Thanks John Security Dept from BLS reported this to our team which manages the DNS and infrastructure. I think some scans run by them on the network may have caught this not sure though. And yes we do not have any record for that IP in our DNS for bls.gov zone. Sandeep -Original Message- From: John Miller [mailto:johnm...@brandeis.edu] Sent: Saturday, September 17, 2016 12:14 PM To: Bhangui, Sandeep - BLS CTR mailto:bhangui.sand...@bls.gov>> Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> mailto:bind-us...@isc.org>> Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. Hi Sandeep, The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address and got: john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113... Connected to 146.142.7.113. Escape character is '^]'. GET / HTTP/1.1 Host: 146.142.7.113 HTTP/1.1 302 Found Date: Sat, 17 Sep 2016 16:30:46 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.4.9-4ubuntu2.3 location: http://www.watcheezy.com/ Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html Connection closed by foreign host. But something is definitely listening on that IP address. Could be a rogue device or some sort of routing issue. Here's a traceroute from the Brandeis network: traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets 1 129.64.99.1 (129.64.99.1) 1.112 ms 1.127 ms 0.981 ms 2 * * * 3 * * * 4 * * * 5 te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1) 2.471 ms 2.427 ms 2.375 ms 6 be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13) 8.046 ms 7.721 ms 7.546 ms 7 be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106) 13.692 ms 13.661 ms 13.665 ms 8 be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106) 14.765 ms 14.832 ms 14.701 ms 9 verizon.iad02.atlas.cogentco.com (154.54.10.198) 13.629 ms 204.148.79.53 (204.148.79.53) 12.886 ms 12.862 ms 10 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.347 ms 0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207) 15.000 ms 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.297 ms 11 GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21) 14.489 ms 14.502 ms 14.311 ms 12 bls-gw.customer.alter.net (152.179.53.66) 15.437 ms 16.771 ms 16.918 ms 13 146.142.7.129 (146.142.7.129) 17.427 ms 17.338 ms 17.421 ms 14 146.142.7.96 (146.142.7.96) 20.523 ms 20.475 ms 20.421 ms 15 146.142.7.97 (146.142.7.97) 21.510 ms 21.471 ms 21.409 ms 16 146.142.7.83 (146.142.7.83) 18.520 ms 18.453 ms 18.359 ms 17 146.142.7.142 (146.142.7.142) 21.138 ms 21.098 ms 19.436 ms 18 146.142.7.93 (146.142.7.93) 43.152 ms 43.061 ms 43.062 ms 19 146.142.7.66 (146.142.7.66) 133.226 ms 133.169 ms 133.147 ms 20 146.142.7.112 (146.142.7.112) 130.701 ms 130.606 ms 130.737 ms 21 * * * 22 146.142.7.68 (146.142.7.68) 135.039 ms 134.986 ms 134.897 ms 23 146.142.7.132 (146.142.7.132) 127.341 ms 127.256 ms 127.221 ms 24 146.142.7.87 (146.142.7.87) 126.358 ms * * 25 146.142.7.113 (146.142.7.113) 154.693 ms 156.353 ms 156.385 ms That's one convoluted route to stay in the same /24! I'd have a chat with your network admins and see what's up--this doesn't look normal. Question for you: how'd you uncover the issue? Do any DNS records point to 146.142.7.113? There's no reverse record for it that I can see. John On Sat, Sep 17, 2016 at 11:
RE: Organization IP address is getting redirected to a website which does not belong to the organization.
Thanks We suspected that but network folks are not able to find any device with that IP on the BLS network. Also it seems firewall folks claim they looked for the traffic coming in the BLS network and if the redirect is happening from a host which is 146.142.7.113 they should have seen some traffic correct and apparently we do not see any traffic. Thanks Sandeep -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle Sent: Saturday, September 17, 2016 12:01 PM To: bind-users@lists.isc.org Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns ( registered with the registrar ) the network > address 146.142.xxx.xxx. > > But if someone from the Internet [ outside of BLS network ) tries to go to > "http://146.142.7.113"; it gets redirected to a site in UK called > "us.watcheezy.com" > > I have checked the DNS from the BLS side and we do not have any entry of > any kind for the record 146.142.7.113 on our DNS. > > I have also done DNS lookups for watcheezy.com and those seem to be good too > with respect to IP and the NS and as to what those NS are reporting. > > Can anyone throw some light on as to what is going on here.does not look > like a DNS issue to me but I could be wrong. > > Thanks > Sandeep > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users There is a host listening on 146.142.7.113 tcp port 80. It's issuing a 302 redirect to http://www.watcheezy.com at ip address 37.187.76.95. That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Organization IP address is getting redirected to a website which does not belong to the organization.
A security scan is only a probe and does not change in any way a web server content or configuration. performing a http://x1.x2.x3.x4 statement where x... are the 4 IP octect does not involve DNS in any way IP is loaded inside IEEE MAC "train" but work with dottet IPv4 /v6 addresses and not with DNS names. When you ask a NAME (not an IP) is resolved from any DNS configured inside your TCP/IP configuration but if you ask a direct IP , DNS is totally jumped and is a DIRECT CALL From: bind-users on behalf of Bhangui, Sandeep - BLS CTR Sent: Saturday, September 17, 2016 6:33 PM To: John Miller Cc: bind-users@lists.isc.org Subject: RE: Organization IP address is getting redirected to a website which does not belong to the organization. Thanks John Security Dept from BLS reported this to our team which manages the DNS and infrastructure. I think some scans run by them on the network may have caught this not sure though. And yes we do not have any record for that IP in our DNS for bls.gov zone. Sandeep -Original Message- From: John Miller [mailto:johnm...@brandeis.edu] Sent: Saturday, September 17, 2016 12:14 PM To: Bhangui, Sandeep - BLS CTR Cc: bind-users@lists.isc.org Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. Hi Sandeep, The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address and got: john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113... Connected to 146.142.7.113. Escape character is '^]'. GET / HTTP/1.1 Host: 146.142.7.113 HTTP/1.1 302 Found Date: Sat, 17 Sep 2016 16:30:46 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.4.9-4ubuntu2.3 location: http://www.watcheezy.com/ Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html Connection closed by foreign host. But something is definitely listening on that IP address. Could be a rogue device or some sort of routing issue. Here's a traceroute from the Brandeis network: traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets 1 129.64.99.1 (129.64.99.1) 1.112 ms 1.127 ms 0.981 ms 2 * * * 3 * * * 4 * * * 5 te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1) 2.471 ms 2.427 ms 2.375 ms 6 be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13) 8.046 ms 7.721 ms 7.546 ms 7 be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106) 13.692 ms 13.661 ms 13.665 ms 8 be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106) 14.765 ms 14.832 ms 14.701 ms 9 verizon.iad02.atlas.cogentco.com (154.54.10.198) 13.629 ms 204.148.79.53 (204.148.79.53) 12.886 ms 12.862 ms 10 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.347 ms 0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207) 15.000 ms 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.297 ms 11 GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21) 14.489 ms 14.502 ms 14.311 ms 12 bls-gw.customer.alter.net (152.179.53.66) 15.437 ms 16.771 ms 16.918 ms 13 146.142.7.129 (146.142.7.129) 17.427 ms 17.338 ms 17.421 ms 14 146.142.7.96 (146.142.7.96) 20.523 ms 20.475 ms 20.421 ms 15 146.142.7.97 (146.142.7.97) 21.510 ms 21.471 ms 21.409 ms 16 146.142.7.83 (146.142.7.83) 18.520 ms 18.453 ms 18.359 ms 17 146.142.7.142 (146.142.7.142) 21.138 ms 21.098 ms 19.436 ms 18 146.142.7.93 (146.142.7.93) 43.152 ms 43.061 ms 43.062 ms 19 146.142.7.66 (146.142.7.66) 133.226 ms 133.169 ms 133.147 ms 20 146.142.7.112 (146.142.7.112) 130.701 ms 130.606 ms 130.737 ms 21 * * * 22 146.142.7.68 (146.142.7.68) 135.039 ms 134.986 ms 134.897 ms 23 146.142.7.132 (146.142.7.132) 127.341 ms 127.256 ms 127.221 ms 24 146.142.7.87 (146.142.7.87) 126.358 ms * * 25 146.142.7.113 (146.142.7.113) 154.693 ms 156.353 ms 156.385 ms That's one convoluted route to stay in the same /24! I'd have a chat with your network admins and see what's up--this doesn't look normal. Question for you: how'd you uncover the issue? Do any DNS records point to 146.142.7.113? There's no reverse record for it that I can see. John On Sat, Sep 17, 2016 at 11:51 AM, Bhangui, Sandeep - BLS CTR wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns ( registered with the registrar ) the network > address 146.142.xxx.xxx. > > But if someone from the Internet [ outside of BLS network ) tries to go to > "http://146.142.7.113"; it gets redirected to a site in UK called > "us.watcheezy.com" > > I have checked the DNS from the BLS side and we do not have any entry of > any kind for the record 146.142.7.113 on our DNS. > > I have also done DNS lookups for watcheezy.com and those seem to b
RE: Organization IP address is getting redirected to a website which does not belong to the organization.
-Original Message- From: Mukund Sivaraman [mailto:m...@isc.org] Sent: Saturday, September 17, 2016 12:01 PM To: Bhangui, Sandeep - BLS CTR Cc: 'bind-users@lists.isc.org' Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. On Sat, Sep 17, 2016 at 03:51:00PM +, Bhangui, Sandeep - BLS CTR wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns ( registered with the registrar ) the network > address 146.142.xxx.xxx. > > But if someone from the Internet [ outside of BLS network ) tries to go to > "http://146.142.7.113"; it gets redirected to a site in UK called > "us.watcheezy.com" > > I have checked the DNS from the BLS side and we do not have any entry of > any kind for the record 146.142.7.113 on our DNS. > > I have also done DNS lookups for watcheezy.com and those seem to be good too > with respect to IP and the NS and as to what those NS are reporting. > > Can anyone throw some light on as to what is going on here.does not look > like a DNS issue to me but I could be wrong. [muks@jurassic ~]$ wget --debug http://146.142.7.113 DEBUG output created by Wget 1.18 on linux-gnu. Reading HSTS entries from /home/muks/.wget-hsts URI encoding = ‘UTF-8’ Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8) --2016-09-17 21:28:13-- http://146.142.7.113/ Connecting to 146.142.7.113:80... connected. Created socket 3. Releasing 0x564b513bd220 (new refcount 0). Deleting unused 0x564b513bd220. ---request begin--- GET / HTTP/1.1 User-Agent: Wget/1.18 (linux-gnu) Accept: */* Accept-Encoding: identity Host: 146.142.7.113 Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 302 Found Date: Sat, 17 Sep 2016 16:26:06 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.4.9-4ubuntu2.3 location: http://www.watcheezy.com/ Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html It is a HTTP redirect (see the location: header above). Check the configuration of the HTTP server (webserver) that's serving for this IP address. I think you are referring to www.watcheezy.com when you say check the configuration of the HTTP server.if that is the case that server is not ours I believe this site is from UK do not even know where the server is actually hosted. If apologize if I have not understood your response correctly. Sandeep Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Organization IP address is getting redirected to a website which does not belong to the organization.
Thanks John Security Dept from BLS reported this to our team which manages the DNS and infrastructure. I think some scans run by them on the network may have caught this not sure though. And yes we do not have any record for that IP in our DNS for bls.gov zone. Sandeep -Original Message- From: John Miller [mailto:johnm...@brandeis.edu] Sent: Saturday, September 17, 2016 12:14 PM To: Bhangui, Sandeep - BLS CTR Cc: bind-users@lists.isc.org Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. Hi Sandeep, The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address and got: john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113... Connected to 146.142.7.113. Escape character is '^]'. GET / HTTP/1.1 Host: 146.142.7.113 HTTP/1.1 302 Found Date: Sat, 17 Sep 2016 16:30:46 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.4.9-4ubuntu2.3 location: http://www.watcheezy.com/ Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html Connection closed by foreign host. But something is definitely listening on that IP address. Could be a rogue device or some sort of routing issue. Here's a traceroute from the Brandeis network: traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets 1 129.64.99.1 (129.64.99.1) 1.112 ms 1.127 ms 0.981 ms 2 * * * 3 * * * 4 * * * 5 te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1) 2.471 ms 2.427 ms 2.375 ms 6 be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13) 8.046 ms 7.721 ms 7.546 ms 7 be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106) 13.692 ms 13.661 ms 13.665 ms 8 be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106) 14.765 ms 14.832 ms 14.701 ms 9 verizon.iad02.atlas.cogentco.com (154.54.10.198) 13.629 ms 204.148.79.53 (204.148.79.53) 12.886 ms 12.862 ms 10 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.347 ms 0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207) 15.000 ms 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.297 ms 11 GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21) 14.489 ms 14.502 ms 14.311 ms 12 bls-gw.customer.alter.net (152.179.53.66) 15.437 ms 16.771 ms 16.918 ms 13 146.142.7.129 (146.142.7.129) 17.427 ms 17.338 ms 17.421 ms 14 146.142.7.96 (146.142.7.96) 20.523 ms 20.475 ms 20.421 ms 15 146.142.7.97 (146.142.7.97) 21.510 ms 21.471 ms 21.409 ms 16 146.142.7.83 (146.142.7.83) 18.520 ms 18.453 ms 18.359 ms 17 146.142.7.142 (146.142.7.142) 21.138 ms 21.098 ms 19.436 ms 18 146.142.7.93 (146.142.7.93) 43.152 ms 43.061 ms 43.062 ms 19 146.142.7.66 (146.142.7.66) 133.226 ms 133.169 ms 133.147 ms 20 146.142.7.112 (146.142.7.112) 130.701 ms 130.606 ms 130.737 ms 21 * * * 22 146.142.7.68 (146.142.7.68) 135.039 ms 134.986 ms 134.897 ms 23 146.142.7.132 (146.142.7.132) 127.341 ms 127.256 ms 127.221 ms 24 146.142.7.87 (146.142.7.87) 126.358 ms * * 25 146.142.7.113 (146.142.7.113) 154.693 ms 156.353 ms 156.385 ms That's one convoluted route to stay in the same /24! I'd have a chat with your network admins and see what's up--this doesn't look normal. Question for you: how'd you uncover the issue? Do any DNS records point to 146.142.7.113? There's no reverse record for it that I can see. John On Sat, Sep 17, 2016 at 11:51 AM, Bhangui, Sandeep - BLS CTR wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns ( registered with the registrar ) the network > address 146.142.xxx.xxx. > > But if someone from the Internet [ outside of BLS network ) tries to go to > "http://146.142.7.113"; it gets redirected to a site in UK called > "us.watcheezy.com" > > I have checked the DNS from the BLS side and we do not have any entry of > any kind for the record 146.142.7.113 on our DNS. > > I have also done DNS lookups for watcheezy.com and those seem to be good too > with respect to IP and the NS and as to what those NS are reporting. > > Can anyone throw some light on as to what is going on here.does not look > like a DNS issue to me but I could be wrong. > > Thanks > Sandeep ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Organization IP address is getting redirected to a website which does not belong to the organization.
Hi Sandeep, The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address and got: john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113... Connected to 146.142.7.113. Escape character is '^]'. GET / HTTP/1.1 Host: 146.142.7.113 HTTP/1.1 302 Found Date: Sat, 17 Sep 2016 16:30:46 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.4.9-4ubuntu2.3 location: http://www.watcheezy.com/ Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html Connection closed by foreign host. But something is definitely listening on that IP address. Could be a rogue device or some sort of routing issue. Here's a traceroute from the Brandeis network: traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets 1 129.64.99.1 (129.64.99.1) 1.112 ms 1.127 ms 0.981 ms 2 * * * 3 * * * 4 * * * 5 te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1) 2.471 ms 2.427 ms 2.375 ms 6 be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13) 8.046 ms 7.721 ms 7.546 ms 7 be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106) 13.692 ms 13.661 ms 13.665 ms 8 be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106) 14.765 ms 14.832 ms 14.701 ms 9 verizon.iad02.atlas.cogentco.com (154.54.10.198) 13.629 ms 204.148.79.53 (204.148.79.53) 12.886 ms 12.862 ms 10 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.347 ms 0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207) 15.000 ms 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.297 ms 11 GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21) 14.489 ms 14.502 ms 14.311 ms 12 bls-gw.customer.alter.net (152.179.53.66) 15.437 ms 16.771 ms 16.918 ms 13 146.142.7.129 (146.142.7.129) 17.427 ms 17.338 ms 17.421 ms 14 146.142.7.96 (146.142.7.96) 20.523 ms 20.475 ms 20.421 ms 15 146.142.7.97 (146.142.7.97) 21.510 ms 21.471 ms 21.409 ms 16 146.142.7.83 (146.142.7.83) 18.520 ms 18.453 ms 18.359 ms 17 146.142.7.142 (146.142.7.142) 21.138 ms 21.098 ms 19.436 ms 18 146.142.7.93 (146.142.7.93) 43.152 ms 43.061 ms 43.062 ms 19 146.142.7.66 (146.142.7.66) 133.226 ms 133.169 ms 133.147 ms 20 146.142.7.112 (146.142.7.112) 130.701 ms 130.606 ms 130.737 ms 21 * * * 22 146.142.7.68 (146.142.7.68) 135.039 ms 134.986 ms 134.897 ms 23 146.142.7.132 (146.142.7.132) 127.341 ms 127.256 ms 127.221 ms 24 146.142.7.87 (146.142.7.87) 126.358 ms * * 25 146.142.7.113 (146.142.7.113) 154.693 ms 156.353 ms 156.385 ms That's one convoluted route to stay in the same /24! I'd have a chat with your network admins and see what's up--this doesn't look normal. Question for you: how'd you uncover the issue? Do any DNS records point to 146.142.7.113? There's no reverse record for it that I can see. John On Sat, Sep 17, 2016 at 11:51 AM, Bhangui, Sandeep - BLS CTR wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns ( registered with the registrar ) the network > address 146.142.xxx.xxx. > > But if someone from the Internet [ outside of BLS network ) tries to go to > "http://146.142.7.113"; it gets redirected to a site in UK called > "us.watcheezy.com" > > I have checked the DNS from the BLS side and we do not have any entry of > any kind for the record 146.142.7.113 on our DNS. > > I have also done DNS lookups for watcheezy.com and those seem to be good too > with respect to IP and the NS and as to what those NS are reporting. > > Can anyone throw some light on as to what is going on here.does not look > like a DNS issue to me but I could be wrong. > > Thanks > Sandeep ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Organization IP address is getting redirected to a website which does not belong to the organization.
On Sat, Sep 17, 2016 at 03:51:00PM +, Bhangui, Sandeep - BLS CTR wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns ( registered with the registrar ) the network > address 146.142.xxx.xxx. > > But if someone from the Internet [ outside of BLS network ) tries to go to > "http://146.142.7.113"; it gets redirected to a site in UK called > "us.watcheezy.com" > > I have checked the DNS from the BLS side and we do not have any entry of > any kind for the record 146.142.7.113 on our DNS. > > I have also done DNS lookups for watcheezy.com and those seem to be good too > with respect to IP and the NS and as to what those NS are reporting. > > Can anyone throw some light on as to what is going on here.does not look > like a DNS issue to me but I could be wrong. [muks@jurassic ~]$ wget --debug http://146.142.7.113 DEBUG output created by Wget 1.18 on linux-gnu. Reading HSTS entries from /home/muks/.wget-hsts URI encoding = ‘UTF-8’ Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8) --2016-09-17 21:28:13-- http://146.142.7.113/ Connecting to 146.142.7.113:80... connected. Created socket 3. Releasing 0x564b513bd220 (new refcount 0). Deleting unused 0x564b513bd220. ---request begin--- GET / HTTP/1.1 User-Agent: Wget/1.18 (linux-gnu) Accept: */* Accept-Encoding: identity Host: 146.142.7.113 Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 302 Found Date: Sat, 17 Sep 2016 16:26:06 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.4.9-4ubuntu2.3 location: http://www.watcheezy.com/ Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html It is a HTTP redirect (see the location: header above). Check the configuration of the HTTP server (webserver) that's serving for this IP address. Mukund signature.asc Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Organization IP address is getting redirected to a website which does not belong to the organization.
On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote: Hi Not exactly sure whether this is a DNS issue but hoping someone here on this forum can provide some advice/suggestion as I am trying to figure out what is going on. Our organization BLS owns ( registered with the registrar ) the network address 146.142.xxx.xxx. But if someone from the Internet [ outside of BLS network ) tries to go to "http://146.142.7.113"; it gets redirected to a site in UK called "us.watcheezy.com" I have checked the DNS from the BLS side and we do not have any entry of any kind for the record 146.142.7.113 on our DNS. I have also done DNS lookups for watcheezy.com and those seem to be good too with respect to IP and the NS and as to what those NS are reporting. Can anyone throw some light on as to what is going on here.does not look like a DNS issue to me but I could be wrong. Thanks Sandeep ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users There is a host listening on 146.142.7.113 tcp port 80. It's issuing a 302 redirect to http://www.watcheezy.com at ip address 37.187.76.95. That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users