Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: bigred.com

From: "John R. Morris" <jrmorris () lycurgus nerdality com>
Date: Tue, 26 Jun 2001 18:10:23 -0700
I don't know how it would "work" it's way into your cache, but my hosting
provider does a similiar thing. Verizon redirects all unresolvable names to
virtual page xxx.2ndpower.com, or 63.66.136.100... Now, if you are running a
purely caching server, everytime it gets a new host resolution request (a
url it's never seen before) it passes it up to the primary nameserver, (who
may, or may not, depending on it's cache, pass it up the chain, possibly all
the way to a root nameserver for .com, or whatever...), and this is where
the unresolvable names get mapped to www.bigred.com, or whatever... This, of
course gets passed down to you, and becomes a mongolian cluster
you-know-what. Some ISP's do this to make extra money off of dns errors /
non-existent domains, others simply to provide some extra niceness, rather
than an error page, remember that most home Internet users aren't system
admins, or even technical, so error pages may cause them to forget to
breathe, or something. Either way, your service provider (or whoever
provides you DNS resolution) has decided to do this.

Solution: find another place to do your DNS resolution, and if startpage.ms
is your homepage /webpage, get your ISP (DNS host, Zone Edit, whatever) to
resolve it to your webserver, else they will happily send people to
www.bigred.com with your domain name, I'm not sure if .ms is a valid TLD
(yet, ever?), but I've heard enough about them adding new ones, plus
companies setting up pseudo TLDs and playing finance/marketing games with
"concept" TLDs, that I will not even venture to guess... Regardless, that's
the solution I went with. For me, I'd noticed it, but it wasn't really a
problem until I'd setup a Samba server, was doing performance tuning, and
noticed browse delays, which were caused because silly Win2k tried to
resolve DNS first for machine names, failed after timeout/ complete DNS
lookup to . servers, was redirected to 63.66.136.100, which it then tried to
connect to and THEN tried netbios/bcast/etc. So I changed that
configuration, and ditched the broken DNS at the same time... Now I'm happy
again.

-----Original Message-----
From: Ray Beaulieu [mailto:ray () tiburonnet com]
Sent: Tuesday, June 26, 2001 6:03 AM
To: 'INCIDENTS () SECURITYFOCUS COM'
Subject: bigred.com




        On two occasions, I've been approached by my executive team
complaining whenever enter an invalid url, they are forwarded to
www.bigred.com.  Sure enough, when I intentionally ping an invalid address,
i.e. www.skdjfiwjefoisje.com  I get replies from 64.78.44.127. Plugging this
addess into a browser,  redirects me to the bigred search engine with the
following http://www.bigred.com/index.php?ref=roberts .  The HTML source on
the redirecting page is follows;

<HTML><HEAD><TITLE>Error 404</TITLE></HEAD>
<FRAMESET FRAMEBORDER=0 FRAMESPACING=0 BORDER=0 ROWS="20,*">
<FRAME SRC="http://startpage.ms/error.php"; NAME="AdBaer" MARGINWIDTH="4"
MARGINHEIGHT="2" scrolling=no noresize BORDERCOLOR="#FFFFFF">
<FRAME SRC="http://www.bigred.com/index.php3?ref=fourofor"; NAME="OtherF"
MARGINWIDTH=0 MARGINHEIGHT=0 scrolling=yes noresize BORDERCOLOR="#FFFFFF">
<NOFRAMES><BODY><a
href="http://www.bigred.com/index.php3?ref=fourofor";>Click
Here</a></BODY></NOFRAMES></FRAMESET></HTML>

If I enter http://startpage.ms,  <form the 3rd line in the code>, I also get
forwared to bigred.com.  I can easly fix this by flushing the cache on my
DNS servers, <which are MS win2k sp1>. It goes away for a week or so.

Here's the whois on startpage.ms

# startpage.ms is registered
Domain Name:               startpage.ms

Object ID:                 star1016u
Registered:                2001-03-13
Expires:                   (undefined)
Timestamp:                 20010411190029

Registrant, Admin. Contact
  Matthew Roberts
  PO Box 1198, Voorhees, NJ 08043
  United States
  E-mail:                  roberts () startpage ms
  Phone:                   (856) 804-3207
  Object ID:               matth987q

Technical Contact, Billing Contact
  Register.com, Inc.
  575 8th Avenue, 11th Floor, New York, NY, 10018
  United States
  E-mail:                  apark () register com
  Phone:                   212.594.9880
  Fax:                     212.594.9448
  Object ID:               xyz2824.ms

Resource Records (2):
                           ns     ns1.zoneedit.com
                           ns     ns5.zoneedit.com


Has anyone else seen this, and how the heck is he getting into my DNS cache
so that invalid domian names forward to that address. The only service
allowed to/from the dns servers through my firewall is UDP 53.

-Ray



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: