• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Hijacked Web Site?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
tonybradley
Just Arrived
Just Arrived


Joined: 13 Jun 2003
Posts: 0
Location: Michigan

Offline

PostPosted: Thu Jun 19, 2003 4:33 pm    Post subject: Hijacked Web Site? Reply with quote

My wife is doing some graphics and development for a site called v-staffing.com.

When you visit the site currently the following message pops up allegedly as if it is from the web host:

Quote:

www.v-staffing.com is temporarily off line due to a misconfigured DNS, please check again in a little bit.


If you are the webmaster for www.v-staffing.com, please send an email to me with information on how to contact you so that I can redirect web traffic to your site for the duration of this condiditon. i need to know your web sites actual ip address because the one in your dns record is wrong. if you send it with your initial request, i can implement it faster. also, let me know if you want me to bounce email to your domain or collect it and save it for you. Please be patient, over 135 affected domains have been identified so far. The process is tedious for me.

Since you are here, feel free to surf the cooking database or play with the 6 degrees of kevin bacon (or any other actor).


The title of the web page lists the IP Address 208.170.71.73 and the email address that the message links to is webmaster@heigel.net

According to a WhoIs lookup, the DNS servers are listed as:

Quote:

Domain Name Servers:
NS1.IPOWERWEB.NET
NS1.IPOWERDNS.COM
NS2.IPOWERWEB.NET



These servers translate to the following addresses according to Ping results:

ns1.ipowerweb.net = 64.70.61.130
ns1.ipowerdns.com = 12.129.206.202
ns2.ipowerweb.net = 12.129.206.200

So- is anyone familiar with the IP 208.170.71.173 or the email address webmaster@heigel.net?? Are these associated with any known attackers?

Does this seem like a cross-site scripting issue?[/quote]
Back to top
View user's profile Send private message Visit poster's website
Rottz
Just Arrived
Just Arrived


Joined: 29 Mar 2003
Posts: 3
Location: East Coast, USA

Offline

PostPosted: Thu Jun 19, 2003 4:45 pm    Post subject: Reply with quote

www.v-staffing.com has address 12.129.211.141

I'm getting the "Coming Soon" message too.

Looks like it just took a bit for DNS rootservers to catch up.

CustName: iPowerWeb
NetRange: 12.129.211.0 - 12.129.211.255
CIDR: 12.129.211.0/24
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
tonybradley
Just Arrived
Just Arrived


Joined: 13 Jun 2003
Posts: 0
Location: Michigan

Offline

PostPosted: Thu Jun 19, 2003 5:23 pm    Post subject: Reply with quote

Possibly DNS Cache Poisoning?

I still see the other message and it doesn't seem like it could be legit at all. The owners of the server also host the web site and own the DNS servers that the domain points to. If they have a problem with their DNS records they would just fix it- not set some message to try and get the domain owner to contact them.

Besides that if I wanted to contact the domain owner I would just pull up the WhoIs info and contact them- it takes 3 seconds.

Using a different computer connected through VPN to different DNS servers I see the v-staffing.org coming soon - 2003 message that you guys are referring to.

But, from my computer connected to Wide Open West I still get the mystery message and from the domain owners computer using Earthlink she is seeing the mystery message as well.

Who would you recommend reporting something like this to?
Back to top
View user's profile Send private message Visit poster's website
bsdjunkie
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 2


Offline

PostPosted: Thu Jun 19, 2003 5:33 pm    Post subject: Reply with quote

OrgName: TDS TELECOM
OrgID: TDST
Address: 301 S. Westfield Rd.
City: Madison
StateProv: WI
PostalCode: 53717
Country: US

NetRange: 208.170.64.0 - 208.170.95.255
CIDR: 208.170.64.0/19
NetName: CW-208-170-64
NetHandle: NET-208-170-64-0-1
Parent: NET-208-128-0-0-1
NetType: Reallocated
Comment:
RegDate: 1998-09-02
Updated: 2003-03-19

TechHandle: ASI5-ARIN
TechName: Sielaff, Alex
TechPhone: +1-608-664-4056
TechEmail: alexander.sielaff@tdstelecom.com

OrgAbuseHandle: ABUSE163-ARIN
OrgAbuseName: abuse
OrgAbusePhone: +1-800-358-3648
OrgAbuseEmail: abuse@tds.net

OrgTechHandle: ASI5-ARIN
OrgTechName: Sielaff, Alex
OrgTechPhone: +1-608-664-4056
OrgTechEmail: alexander.sielaff@tdstelecom.com

OrgTechHandle: KR181-ARIN
OrgTechName: Roberts, Kevin
OrgTechPhone: +1-608-664-4690
OrgTechEmail: kevin.roberts@tdstelecom.com

OrgTechHandle: DDD3-ARIN
OrgTechName: DAULO, DALE D
OrgTechPhone: +1-800-664-4538
OrgTechEmail: dale.daulo@tdstelecom.com

# ARIN WHOIS database, last updated 2003-06-18 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.
Back to top
View user's profile Send private message
Rottz
Just Arrived
Just Arrived


Joined: 29 Mar 2003
Posts: 3
Location: East Coast, USA

Offline

PostPosted: Thu Jun 19, 2003 5:39 pm    Post subject: Reply with quote

tonybradley wrote:
Who would you recommend reporting something like this to?

I'd recommand contacting the owners of the IP space...
http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-208-170-64-0-1
OrgName: TDS TELECOM
OrgID: TDST
NetRange: 208.170.64.0 - 208.170.95.255
CIDR: 208.170.64.0/19
OrgAbusePhone: +1-800-358-3648
OrgAbuseEmail: abuse@tds.net
OrgTechPhone: +1-608-664-4056
OrgTechEmail: alexander.sielaff@tdstelecom.com

and maybe CC the real owners
estraiton@snet.net (your wife?)

http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-12-129-211-0-1
TechName: AT&T Enhanced Network Services
TechPhone: +1-858-812-5000
TechEmail: notify@attens.com
OrgTechName: Network Provisioning
OrgTechPhone: +1-800-876-2373
OrgTechEmail: iptool@attens.com
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register