Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

bigred.com

From: Ray Beaulieu <ray () tiburonnet com>
Date: Tue, 26 Jun 2001 09:02:44 -0400


        On two occasions, I've been approached by my executive team
complaining whenever enter an invalid url, they are forwarded to
www.bigred.com.  Sure enough, when I intentionally ping an invalid address,
i.e. www.skdjfiwjefoisje.com  I get replies from 64.78.44.127. Plugging this
addess into a browser,  redirects me to the bigred search engine with the
following http://www.bigred.com/index.php?ref=roberts .  The HTML source on
the redirecting page is follows;

<HTML><HEAD><TITLE>Error 404</TITLE></HEAD>
<FRAMESET FRAMEBORDER=0 FRAMESPACING=0 BORDER=0 ROWS="20,*">
<FRAME SRC="http://startpage.ms/error.php"; NAME="AdBaer" MARGINWIDTH="4"
MARGINHEIGHT="2" scrolling=no noresize BORDERCOLOR="#FFFFFF">
<FRAME SRC="http://www.bigred.com/index.php3?ref=fourofor"; NAME="OtherF"
MARGINWIDTH=0 MARGINHEIGHT=0 scrolling=yes noresize BORDERCOLOR="#FFFFFF">
<NOFRAMES><BODY><a
href="http://www.bigred.com/index.php3?ref=fourofor";>Click
Here</a></BODY></NOFRAMES></FRAMESET></HTML>

If I enter http://startpage.ms,  <form the 3rd line in the code>, I also get
forwared to bigred.com.  I can easly fix this by flushing the cache on my
DNS servers, <which are MS win2k sp1>. It goes away for a week or so.

Here's the whois on startpage.ms

# startpage.ms is registered
Domain Name:               startpage.ms

Object ID:                 star1016u
Registered:                2001-03-13
Expires:                   (undefined)
Timestamp:                 20010411190029

Registrant, Admin. Contact
  Matthew Roberts
  PO Box 1198, Voorhees, NJ 08043
  United States
  E-mail:                  roberts () startpage ms
  Phone:                   (856) 804-3207
  Object ID:               matth987q

Technical Contact, Billing Contact
  Register.com, Inc.
  575 8th Avenue, 11th Floor, New York, NY, 10018
  United States
  E-mail:                  apark () register com
  Phone:                   212.594.9880
  Fax:                     212.594.9448
  Object ID:               xyz2824.ms

Resource Records (2):
                           ns     ns1.zoneedit.com         
                           ns     ns5.zoneedit.com  


Has anyone else seen this, and how the heck is he getting into my DNS cache
so that invalid domian names forward to that address. The only service
allowed to/from the dns servers through my firewall is UDP 53.

-Ray



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: