Hijacked Web Site?

***tonybradley*** · June 19th, 2003, 03:11 PM

My wife is doing some graphics and development for a site called v-staffing.com.

When you visit the site currently the following message pops up allegedly as if it is from the web host:

www.v-staffing.com is temporarily off line due to a misconfigured DNS, please check again in a little bit.

If you are the webmaster for www.v-staffing.com, please send an email to me with information on how to contact you so that I can redirect web traffic to your site for the duration of this condiditon. i need to know your web sites actual ip address because the one in your dns record is wrong. if you send it with your initial request, i can implement it faster. also, let me know if you want me to bounce email to your domain or collect it and save it for you. Please be patient, over 135 affected domains have been identified so far. The process is tedious for me.

Since you are here, feel free to surf the cooking database or play with the 6 degrees of kevin bacon (or any other actor).

The title of the web page lists the IP Address 208.170.71.73 and the email address that the message links to is webmaster@heigel.net

According to a WhoIs lookup, the DNS servers are listed as:

Domain Name Servers:
NS1.IPOWERWEB.NET
NS1.IPOWERDNS.COM
NS2.IPOWERWEB.NET

These servers translate to the following addresses according to Ping results:

ns1.ipowerweb.net = 64.70.61.130
ns1.ipowerdns.com = 12.129.206.202
ns2.ipowerweb.net = 12.129.206.200

So- is anyone familiar with the IP 208.170.71.173 or the email address webmaster@heigel.net?? Are these associated with any known attackers?

Does this seem like a cross-site scripting issue?

***SirDice*** · June 19th, 2003, 03:29 PM

Did you try to fetch the source at www.v-staffing.com?

When I netcat to www and do a GET / HTTP/1.1 I get something that looks like it's from virtual staffing.

Just checked with a regular browser and I get a message stating It's comming soon.
Looks legit to me.

Edit: Just looked through the netcat output but I see no chance for a XSS hole. As far as I can tell there are no user input fields.
Maybe your DNS (cache) is poisened?

**snow_crash** · June 19th, 2003, 04:02 PM

A message like that tells me that someone has either hacked your site or is attempting to hack it. Tell your wife to get in touch with the webmaster of the site (unless she is the webmaster) as well as the people who host the site.

Do not give out any information like what is being asked for. A legitimate ISP/Webserver Host would already know what IP Addresses you use/have and would also have legitimate physical contact information. There is no need for them to not physically contact you for information EPSECIALLY when there is a DNS problem like the message states.

***tonybradley*** · June 19th, 2003, 04:07 PM

That was sort of my thinking really.

If this message was posted by the people who run the server, they are also the one's who assign the IP address. The people who own the server that hosts the web site are the someone's who own the DNS servers that the domain points to.

Plus, if you do a WhoIs on the domain name it gives you contact name and info for the owner of the site. It takes all of 3 seconds to pull that information if you legitimately wanted to contact the site owner.

**cutty** · June 19th, 2003, 04:17 PM

Something really isn't right there. Did you get that same info link for IP 12.129.206.202 that you have listed.

I wouldn't trust that. Check up on it and see what's the deal.

Guidance...

***tonybradley*** · June 19th, 2003, 04:19 PM

Possibly DNS Cache Poisoning like SirDice suggested?

I still see the mystery message and it doesn't seem like it could be legit at all. The owners of the server also host the web site and own the DNS servers that the domain points to. If they have a problem with their DNS records they would just fix it- not set some message to try and get the domain owner to contact them.

Besides that if I wanted to contact the domain owner I would just pull up the WhoIs info and contact them- it takes 3 seconds.

Using a different computer connected through VPN to different DNS servers I see the v-staffing.org coming soon - 2003 message that should be there.

But, from my computer connected to Wide Open West I still get the mystery message and from the domain owners computer using Earthlink she is seeing the mystery message as well.

Who would you recommend reporting something like this to?

***SirDice*** · June 19th, 2003, 04:33 PM

Another possibility would be someone sending you icmp redirects. Try putting a sniffer on that interface and try again. Look for odd traffic that shouldn't be there.

**PuReExcTacy** · June 19th, 2003, 05:13 PM

Have you already contacted your webhost to ensure that the message was legit? If it isn't, they'll let you know right. Also, it seems you might have an Ip address to check back to if it was a hack. Contacting your webhost would be the best start.

--PuRe

**ccKid** · June 20th, 2003, 12:07 AM

TonyBradley,

I checked the address and the owner of the DNS server must have fixed the problem because I got to the main page. It seems to me that someone attempted to hijack/redirect the IP address. I would think that if this was to happen again you would want to contact the owner of the DNS server to advise them that someone has penetrated the DNS server and they should take appropriate action.

ccKid

***NeuTron*** · June 20th, 2003, 12:31 AM

The title of the web page lists the IP Address 208.170.71.73 and the email address that the message links to is webmaster@heigel.net

That IP belongs to Terracom network in Maddison, Wisconnsin. It is a DSL subscriber and looks very bogus to me. I would bet money that this was an attack of some kind.

It seems to me that someone attempted to hijack/redirect the IP address.

I agree........

Thread: Hijacked Web Site?

Thread Tools

Display

Hijacked Web Site?

Posting Permissions