Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Syslink BEFSX41 Homepage Spoofed? 1

Status
Not open for further replies.
Foada

Foada

Programmer
Feb 4, 2002
1,110
US
I don't know if I can explain this well enough, but here goes. I have 3 computers on my network. I am using a LinkSys BEFSX41 firewall/router with firmware version 1.50.18 at the present time. I have tried every version of firmware that I could get my hands on. The machine in question is a dual boot Win2k/XP Pro with both OS's up to date. I changed the routers ip address and the admin password so as not to use the default. It is set as a DHCP. Everything works fine as long as I don't connect to my ISP on the WAN side. Here is the problem. If I just use the LAN side of the router, the machine in question can open the router's home page. After I connect the WAN, the machine in question, appears to be redirected to a spoofed router homepage. The give away for this is the time zone, which becomes Kwajalein, and the ISP connection type settings have been changed. If I use one of the other machines to access the router homepage, my settings are still in tack. It is almost as if something is monitoring my ISP for that machines MAC address, and when it sees the connection, redirects to a different page. The machine surfs the web fine, but I am worried that all my traffic is going through monitored server. Any thoughts? Any Questions?

If you choose to battle wits with the witless be prepared to lose.

[cheers]
 
Sort by date Sort by votes
I am sorry, I thought you were under the impression that I was running a trial version. I will download and run the latest version and see what happens.

If you choose to battle wits with the witless be prepared to lose.

[cheers]
 
Upvote 0 Downvote
Problem Solved [rofl2] aquias you were correct is was in a ZA setting for privacy. ZA added the router's IP address(192.168.1.1) to the list of sites automatically. I had to customize the settings by removing all the blocks for that address. I also needed to add the base IP address (192.168.1.0) to the list of sites and remove all its blocks as well. The router's homepage then displayed properly and I was able to configure and navigate it. I ran out of time before I could tweek it to determine exactly which block was the problem, but I plan on doing that eventually. As to why ZA spoofed the page ?!? It would have been alot easier to determine the problem if it just blocked the router's page all together. Thank you both for your suggestions. [spin]

If you choose to battle wits with the witless be prepared to lose.

[cheers]
 
Upvote 0 Downvote
Yay! I'm happy to hear you're up and running, and I agree I don't understand why ZA would display anything instead of giving you a denial or "Page cannot be loaded
 
Upvote 0 Downvote
Maybe it's possible you had a cached copy of the page. But regardless, glad you figured it out!

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
LloydSev, I thought that too but I cleaned the cache and the page gets recreated. I would also think the cached copy would be identical to what I had the router set at and not have changed settings. The whole thing is just strange. [bugeyed]

If you choose to battle wits with the witless be prepared to lose.

[cheers]
 
Upvote 0 Downvote
strange indeed.. glad you figured it out!

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
There is a bit of DNS cache poisoning going around. I thought I had seen that ZA was one of the products vulnerable to that, but I do know for a fact that Symantec's products were found to be vulnerable back in July and attackers have been exploiting that recently. Make sure ZA is up-to-date.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
zone alarm isn't a dns server.. also, 192.168.0.0 is not a publicly routable network.

and the chances that the page it directed it to being a page showing the config window from his router he owns...

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
I didn't say it was a DNS server. ;)


And I could keep going if you want me to. DNS cache poisoning doesn't affect just DNS servers. Now, let's assume for a minute that ZA was vulnerable (I still seem to recall seeing somewhere it was, several months ago), it would be very easy to do something like this.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
At any rate, the user seems to be fixed.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
And you are still of the impression that the cache poisoning happened to just point to another page that looked identical to his router's config page?

Regardless, I do not think Zone Alarm had a direct DNS poisoning problem, as it would have produced hits via google had it.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DPlank
  • Locked
  • Question
www.910sp.com has been set as my homepage 1
Replies
7
Views
78
electronicsfreak
electronicsfreak
FCF
  • Locked
  • Question
OneClickSearches Become Default Homepage 2
Replies
6
Views
60
CobolKid
CobolKid
Hawkide
  • Locked
  • Question
Homepage has been hijacked
Replies
1
Views
51
vop
vop
dyarwood
  • Locked
  • Question
HijackThis log, homepage resetting itself 2
Replies
19
Views
131
MetaJoe
MetaJoe
wmichael
  • Locked
  • Question
Email Virus Question: how can my interal addresses be 'spoofed'? 1
Replies
1
Views
50
sleipnir214
sleipnir214

Part and Inventory Search

Sponsor

Back
Top