Hijacked Web Site?

Networking/Security Forums -> General Security Discussion

Author: tonybradleyLocation: Michigan PostPosted: Thu Jun 19, 2003 4:33 pm    Post subject: Hijacked Web Site?
    ----
My wife is doing some graphics and development for a site called v-staffing.com.

When you visit the site currently the following message pops up allegedly as if it is from the web host:

Quote:

www.v-staffing.com is temporarily off line due to a misconfigured DNS, please check again in a little bit.


If you are the webmaster for www.v-staffing.com, please send an email to me with information on how to contact you so that I can redirect web traffic to your site for the duration of this condiditon. i need to know your web sites actual ip address because the one in your dns record is wrong. if you send it with your initial request, i can implement it faster. also, let me know if you want me to bounce email to your domain or collect it and save it for you. Please be patient, over 135 affected domains have been identified so far. The process is tedious for me.

Since you are here, feel free to surf the cooking database or play with the 6 degrees of kevin bacon (or any other actor).


The title of the web page lists the IP Address 208.170.71.73 and the email address that the message links to is webmaster@heigel.net

According to a WhoIs lookup, the DNS servers are listed as:

Quote:

Domain Name Servers:
NS1.IPOWERWEB.NET
NS1.IPOWERDNS.COM
NS2.IPOWERWEB.NET



These servers translate to the following addresses according to Ping results:

ns1.ipowerweb.net = 64.70.61.130
ns1.ipowerdns.com = 12.129.206.202
ns2.ipowerweb.net = 12.129.206.200

So- is anyone familiar with the IP 208.170.71.173 or the email address webmaster@heigel.net?? Are these associated with any known attackers?

Does this seem like a cross-site scripting issue?[/quote]

Author: RottzLocation: East Coast, USA PostPosted: Thu Jun 19, 2003 4:45 pm    Post subject:
    ----
www.v-staffing.com has address 12.129.211.141

I'm getting the "Coming Soon" message too.

Looks like it just took a bit for DNS rootservers to catch up.

CustName: iPowerWeb
NetRange: 12.129.211.0 - 12.129.211.255
CIDR: 12.129.211.0/24

Author: tonybradleyLocation: Michigan PostPosted: Thu Jun 19, 2003 5:23 pm    Post subject:
    ----
Possibly DNS Cache Poisoning?

I still see the other message and it doesn't seem like it could be legit at all. The owners of the server also host the web site and own the DNS servers that the domain points to. If they have a problem with their DNS records they would just fix it- not set some message to try and get the domain owner to contact them.

Besides that if I wanted to contact the domain owner I would just pull up the WhoIs info and contact them- it takes 3 seconds.

Using a different computer connected through VPN to different DNS servers I see the v-staffing.org coming soon - 2003 message that you guys are referring to.

But, from my computer connected to Wide Open West I still get the mystery message and from the domain owners computer using Earthlink she is seeing the mystery message as well.

Who would you recommend reporting something like this to?

Author: bsdjunkie PostPosted: Thu Jun 19, 2003 5:33 pm    Post subject:
    ----
OrgName: TDS TELECOM
OrgID: TDST
Address: 301 S. Westfield Rd.
City: Madison
StateProv: WI
PostalCode: 53717
Country: US

NetRange: 208.170.64.0 - 208.170.95.255
CIDR: 208.170.64.0/19
NetName: CW-208-170-64
NetHandle: NET-208-170-64-0-1
Parent: NET-208-128-0-0-1
NetType: Reallocated
Comment:
RegDate: 1998-09-02
Updated: 2003-03-19

TechHandle: ASI5-ARIN
TechName: Sielaff, Alex
TechPhone: +1-608-664-4056
TechEmail: alexander.sielaff@tdstelecom.com

OrgAbuseHandle: ABUSE163-ARIN
OrgAbuseName: abuse
OrgAbusePhone: +1-800-358-3648
OrgAbuseEmail: abuse@tds.net

OrgTechHandle: ASI5-ARIN
OrgTechName: Sielaff, Alex
OrgTechPhone: +1-608-664-4056
OrgTechEmail: alexander.sielaff@tdstelecom.com

OrgTechHandle: KR181-ARIN
OrgTechName: Roberts, Kevin
OrgTechPhone: +1-608-664-4690
OrgTechEmail: kevin.roberts@tdstelecom.com

OrgTechHandle: DDD3-ARIN
OrgTechName: DAULO, DALE D
OrgTechPhone: +1-800-664-4538
OrgTechEmail: dale.daulo@tdstelecom.com

# ARIN WHOIS database, last updated 2003-06-18 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.

Author: RottzLocation: East Coast, USA PostPosted: Thu Jun 19, 2003 5:39 pm    Post subject:
    ----
tonybradley wrote:
Who would you recommend reporting something like this to?

I'd recommand contacting the owners of the IP space...
http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-208-170-64-0-1
OrgName: TDS TELECOM
OrgID: TDST
NetRange: 208.170.64.0 - 208.170.95.255
CIDR: 208.170.64.0/19
OrgAbusePhone: +1-800-358-3648
OrgAbuseEmail: abuse@tds.net
OrgTechPhone: +1-608-664-4056
OrgTechEmail: alexander.sielaff@tdstelecom.com

and maybe CC the real owners
estraiton@snet.net (your wife?)

http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-12-129-211-0-1
TechName: AT&T Enhanced Network Services
TechPhone: +1-858-812-5000
TechEmail: notify@attens.com
OrgTechName: Network Provisioning
OrgTechPhone: +1-800-876-2373
OrgTechEmail: iptool@attens.com



Networking/Security Forums -> General Security Discussion


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group