Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

dot ORG redirects

Status
Not open for further replies.
seanogee

seanogee

MIS
May 23, 2004
2
US
Hello,
A couple of weeks ago, on Thursday afternoon, ALL the dot ORG sites we tried to access from inside our network brought up the same screen. It was a blank screen with "Welcome to <site name>, Under construction". Below was a graphic (actually two jpg files-up.jpg and down.jpg) with Arabic on the right and English on the left, along with a graphic of a stack of marbles. At the bottom it said Kuwaitnet.net. We were able to access these ORG sites from our DMZ with no problem, but not from within the network. However, when we googled these sites, they came up on Google showing the text "under construction" and Welcome to, etc. On Friday, at 9:30 am, it stopped and went back to normal. A coworker thought the DMZ computer was unaffected because of a DNS update delay, but that this exploit was definitely outside. They also appeared in Google's cache. However, I can find no one who experienced this outside of our network. Did any of you see this? If it was only an exploit against us, how did it appear on Google and in their cache?

seanogee
 
Sort by date Sort by votes
It may be that the Google page you saw was a page not created up by Google's servers. If all ".org" sites were redirected, it would be trivial to redirect google.com to another server, too.

Who manages the DN servers you use, you or your ISP?


It might also have been something internal. I suppose that the right kind of ARP cache poisoning could have accomplished what you saw.



Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
We are our own ISP, so there couldn't have been an exploit against an outside server, as far as I can see, to have done this. With the media constantly poised to leap on anything with the internet as the end of the world, I think this would have made CNN at the least. I think it was inside. My colleagues disagree. With a penetration and compromise of our security, it would have been simple to go to our ISA, through which ALL outside traffic channels, and redirect ORG URL requests to this script. I could do it in 5 minutes standing at the Proxy. But then how did they get the Google searches to bring up the same thing. It baffles me.

seanogee
 
Upvote 0 Downvote
I agree. If the entire dot-org TLD had gone down, even for a few minutes, it would have made international headlines.

But again, everything you saw could have been accomplished with something like the correct ARP-cache poisoning in your network's switches.

Or someone could have been screwing around with your DN servers.



Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top