bigred.com

From: Ray Beaulieu (rayat_private)
Date: Tue Jun 26 2001 - 06:02:44 PDT

Next message: Technical Support: "Re: Threat mail from russia"

Previous message: Jason R. Seats: "[Fwd: strange packets]"
Next in thread: John R. Morris: "RE: bigred.com"
Reply: John R. Morris: "RE: bigred.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	On two occasions, I've been approached by my executive team
complaining whenever enter an invalid url, they are forwarded to
www.bigred.com.  Sure enough, when I intentionally ping an invalid address,
i.e. www.skdjfiwjefoisje.com  I get replies from 64.78.44.127. Plugging this
addess into a browser,  redirects me to the bigred search engine with the
following http://www.bigred.com/index.php?ref=roberts .  The HTML source on
the redirecting page is follows;

<HTML><HEAD><TITLE>Error 404</TITLE></HEAD>
<FRAMESET FRAMEBORDER=0 FRAMESPACING=0 BORDER=0 ROWS="20,*">
<FRAME SRC="http://startpage.ms/error.php" NAME="AdBaer" MARGINWIDTH="4"
MARGINHEIGHT="2" scrolling=no noresize BORDERCOLOR="#FFFFFF">
<FRAME SRC="http://www.bigred.com/index.php3?ref=fourofor" NAME="OtherF"
MARGINWIDTH=0 MARGINHEIGHT=0 scrolling=yes noresize BORDERCOLOR="#FFFFFF">
<NOFRAMES><BODY><a
href="http://www.bigred.com/index.php3?ref=fourofor">Click
Here</a></BODY></NOFRAMES></FRAMESET></HTML>

If I enter http://startpage.ms,  <form the 3rd line in the code>, I also get
forwared to bigred.com.  I can easly fix this by flushing the cache on my
DNS servers, <which are MS win2k sp1>. It goes away for a week or so.

Here's the whois on startpage.ms

# startpage.ms is registered
Domain Name:               startpage.ms

Object ID:                 star1016u
Registered:                2001-03-13
Expires:                   (undefined)
Timestamp:                 20010411190029

Registrant, Admin. Contact
  Matthew Roberts
  PO Box 1198, Voorhees, NJ 08043
  United States
  E-mail:                  robertsat_private
  Phone:                   (856) 804-3207
  Object ID:               matth987q

Technical Contact, Billing Contact
  Register.com, Inc.
  575 8th Avenue, 11th Floor, New York, NY, 10018
  United States
  E-mail:                  aparkat_private
  Phone:                   212.594.9880
  Fax:                     212.594.9448
  Object ID:               xyz2824.ms

Resource Records (2):
                           ns     ns1.zoneedit.com         
                           ns     ns5.zoneedit.com  


Has anyone else seen this, and how the heck is he getting into my DNS cache
so that invalid domian names forward to that address. The only service
allowed to/from the dns servers through my firewall is UDP 53.

-Ray



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Technical Support: "Re: Threat mail from russia"
Previous message: Jason R. Seats: "[Fwd: strange packets]"
Next in thread: John R. Morris: "RE: bigred.com"
Reply: John R. Morris: "RE: bigred.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 14:28:38 PDT