Hijacked Web Site?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Hijacked Web Site?

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Hijacked Web Site?

    My wife is doing some graphics and development for a site called v-staffing.com.

    When you visit the site currently the following message pops up allegedly as if it is from the web host:

    www.v-staffing.com is temporarily off line due to a misconfigured DNS, please check again in a little bit.


    If you are the webmaster for www.v-staffing.com, please send an email to me with information on how to contact you so that I can redirect web traffic to your site for the duration of this condiditon. i need to know your web sites actual ip address because the one in your dns record is wrong. if you send it with your initial request, i can implement it faster. also, let me know if you want me to bounce email to your domain or collect it and save it for you. Please be patient, over 135 affected domains have been identified so far. The process is tedious for me.

    Since you are here, feel free to surf the cooking database or play with the 6 degrees of kevin bacon (or any other actor).
    The title of the web page lists the IP Address 208.170.71.73 and the email address that the message links to is webmaster@heigel.net

    According to a WhoIs lookup, the DNS servers are listed as:

    Domain Name Servers:
    NS1.IPOWERWEB.NET
    NS1.IPOWERDNS.COM
    NS2.IPOWERWEB.NET
    These servers translate to the following addresses according to Ping results:

    ns1.ipowerweb.net = 64.70.61.130
    ns1.ipowerdns.com = 12.129.206.202
    ns2.ipowerweb.net = 12.129.206.200

    So- is anyone familiar with the IP 208.170.71.173 or the email address webmaster@heigel.net?? Are these associated with any known attackers?

    Does this seem like a cross-site scripting issue?

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Did you try to fetch the source at www.v-staffing.com?

    When I netcat to www and do a GET / HTTP/1.1 I get something that looks like it's from virtual staffing.

    Just checked with a regular browser and I get a message stating It's comming soon.
    Looks legit to me.

    Edit: Just looked through the netcat output but I see no chance for a XSS hole. As far as I can tell there are no user input fields.
    Maybe your DNS (cache) is poisened?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    Jun 2003
    Posts
    5
    A message like that tells me that someone has either hacked your site or is attempting to hack it. Tell your wife to get in touch with the webmaster of the site (unless she is the webmaster) as well as the people who host the site.

    Do not give out any information like what is being asked for. A legitimate ISP/Webserver Host would already know what IP Addresses you use/have and would also have legitimate physical contact information. There is no need for them to not physically contact you for information EPSECIALLY when there is a DNS problem like the message states.

  4. #4
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    That was sort of my thinking really.

    If this message was posted by the people who run the server, they are also the one's who assign the IP address. The people who own the server that hosts the web site are the someone's who own the DNS servers that the domain points to.

    Plus, if you do a WhoIs on the domain name it gives you contact name and info for the owner of the site. It takes all of 3 seconds to pull that information if you legitimately wanted to contact the site owner.

  5. #5
    Senior Member
    Join Date
    Jul 2002
    Posts
    315
    Something really isn't right there. Did you get that same info link for IP 12.129.206.202 that you have listed.

    I wouldn't trust that. Check up on it and see what's the deal.

    Guidance...
    - The mind is too beautiful to waste...
    Cutty


  6. #6
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    Possibly DNS Cache Poisoning like SirDice suggested?

    I still see the mystery message and it doesn't seem like it could be legit at all. The owners of the server also host the web site and own the DNS servers that the domain points to. If they have a problem with their DNS records they would just fix it- not set some message to try and get the domain owner to contact them.

    Besides that if I wanted to contact the domain owner I would just pull up the WhoIs info and contact them- it takes 3 seconds.

    Using a different computer connected through VPN to different DNS servers I see the v-staffing.org coming soon - 2003 message that should be there.

    But, from my computer connected to Wide Open West I still get the mystery message and from the domain owners computer using Earthlink she is seeing the mystery message as well.

    Who would you recommend reporting something like this to?

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Another possibility would be someone sending you icmp redirects. Try putting a sniffer on that interface and try again. Look for odd traffic that shouldn't be there.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    Have you already contacted your webhost to ensure that the message was legit? If it isn't, they'll let you know right. Also, it seems you might have an Ip address to check back to if it was a hack. Contacting your webhost would be the best start.


    --PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  9. #9
    Member
    Join Date
    Feb 2002
    Posts
    87
    TonyBradley,

    I checked the address and the owner of the DNS server must have fixed the problem because I got to the main page. It seems to me that someone attempted to hijack/redirect the IP address. I would think that if this was to happen again you would want to contact the owner of the DNS server to advise them that someone has penetrated the DNS server and they should take appropriate action.


    ccKid

  10. #10
    AO Veteran NeuTron's Avatar
    Join Date
    Apr 2003
    Posts
    550
    The title of the web page lists the IP Address 208.170.71.73 and the email address that the message links to is webmaster@heigel.net
    That IP belongs to Terracom network in Maddison, Wisconnsin. It is a DSL subscriber and looks very bogus to me. I would bet money that this was an attack of some kind.

    It seems to me that someone attempted to hijack/redirect the IP address.
    I agree........

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •