news.bbc.co.uk dns poisoning?
#1
Scooby Regular
Thread Starter
Join Date: Jun 2000
Posts: 13,735
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
Hi all,
Wierd one this - happening throughout the office.
news.bbc.co.uk is resolving to a skin of what appears to be Amazon.
If I check out, I get redirected to the amazon checkout process with associate-id=learnspanishlanguage-20 tacked onto the end of the URL.
bbc.co.uk is fine. The links to news.bbc.co.uk take you to the shopping site!
Anyone else getting this, or is it local to our company?
Cheers,
Nick.
Wierd one this - happening throughout the office.
news.bbc.co.uk is resolving to a skin of what appears to be Amazon.
If I check out, I get redirected to the amazon checkout process with associate-id=learnspanishlanguage-20 tacked onto the end of the URL.
bbc.co.uk is fine. The links to news.bbc.co.uk take you to the shopping site!
Anyone else getting this, or is it local to our company?
Cheers,
Nick.
#2
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
Originally Posted by chiark
Hi all,
Wierd one this - happening throughout the office.
news.bbc.co.uk is resolving to a skin of what appears to be Amazon.
If I check out, I get redirected to the amazon checkout process with associate-id=learnspanishlanguage-20 tacked onto the end of the URL.
bbc.co.uk is fine. The links to news.bbc.co.uk take you to the shopping site!
Anyone else getting this, or is it local to our company?
Cheers,
Nick.
Wierd one this - happening throughout the office.
news.bbc.co.uk is resolving to a skin of what appears to be Amazon.
If I check out, I get redirected to the amazon checkout process with associate-id=learnspanishlanguage-20 tacked onto the end of the URL.
bbc.co.uk is fine. The links to news.bbc.co.uk take you to the shopping site!
Anyone else getting this, or is it local to our company?
Cheers,
Nick.
#4
Scooby Regular
Join Date: Jul 2002
Location: West Sussex
Posts: 271
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
Originally Posted by chiark
Very very wierd.
Could you let me know what IP address news.bbc.co.uk resolves to?
(Sorry to be a pain - help is appreciated)
Could you let me know what IP address news.bbc.co.uk resolves to?
(Sorry to be a pain - help is appreciated)
#5
Scooby Regular
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
Yep, same IP address resolved with our ISP - demon. Website works fine too.
Which ISP are you using Nick? Have you tried pointing to another name server?
Stefan
Which ISP are you using Nick? Have you tried pointing to another name server?
Stefan
#7
Scooby Regular
Thread Starter
Join Date: Jun 2000
Posts: 13,735
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
This is our corporate connection. We run our own nameservers, and nslookup is firewalled within the company
so I'm pretty much blind.
news.bbc.co.uk resolves to
C:\WINNT>ping news.bbc.co.uk
Pinging newswww.bbc.net.uk [64.246.28.77] with 32 bytes of data:
Reply from 64.246.28.77: bytes=32 time=380ms TTL=42
Reply from 64.246.28.77: bytes=32 time=401ms TTL=42
Reply from 64.246.28.77: bytes=32 time=361ms TTL=42
Reply from 64.246.28.77: bytes=32 time=370ms TTL=42
Ping statistics for 64.246.28.77:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 361ms, Maximum = 401ms, Average = 378ms
Wierd.
![Roll Eyes (Sarcastic)](https://www.scoobynet.com/images/smilies/rolleyes.gif)
news.bbc.co.uk resolves to
C:\WINNT>ping news.bbc.co.uk
Pinging newswww.bbc.net.uk [64.246.28.77] with 32 bytes of data:
Reply from 64.246.28.77: bytes=32 time=380ms TTL=42
Reply from 64.246.28.77: bytes=32 time=401ms TTL=42
Reply from 64.246.28.77: bytes=32 time=361ms TTL=42
Reply from 64.246.28.77: bytes=32 time=370ms TTL=42
Ping statistics for 64.246.28.77:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 361ms, Maximum = 401ms, Average = 378ms
Wierd.
Trending Topics
#8
Scooby Regular
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
Can you not just delete the cached entry from the nameservers and get them to perform another lookup?
Your name servers must be contacting one of the main ISP servers, so either the cahed entry is bogus (can you check the entry) or the forwarding servers (correct terminology) is returning a bogus address.
I'm sure the BBC will use some clustered boxes and virtual IP addressing to have some redundancy. Can you browse to the correct IP addresses?
Stefan
Your name servers must be contacting one of the main ISP servers, so either the cahed entry is bogus (can you check the entry) or the forwarding servers (correct terminology) is returning a bogus address.
I'm sure the BBC will use some clustered boxes and virtual IP addressing to have some redundancy. Can you browse to the correct IP addresses?
Stefan
#9
Scooby Regular
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
U:\>tracert 64.246.28.77
Tracing route to 64.246.28.77 over a maximum of 30 hops
1 3 ms 3 ms 3 ms net-liv-bskyb [192.168.10.10]
2 4 ms 1 ms 1 ms demon-gw.xxxxxxxxxx.com [xxx.xxx.xxx.xxx]
3 8 ms 8 ms 32 ms xxxxx-bstdx-1.router.demon.net [194.159.xx.xx]
4 30 ms 23 ms 26 ms lon1-backbone-2.router.demon.net [194.159.7.17]
5 30 ms 18 ms 37 ms park-inside-2-g3-0-0-s275.router.demon.net [194.70.98.161]
6 27 ms 27 ms 27 ms ams3-border-1-a1-0-s2.router.demon.net [194.70.97.90]
7 83 ms 145 ms 28 ms core01.ams03.atlas.cogentco.com [195.69.144.124]
8 47 ms 35 ms 63 ms p5-0.core01.lon01.atlas.cogentco.com [130.117.1.58]
9 106 ms 106 ms 106 ms p6-0.core01.jfk01.atlas.cogentco.com [154.54.1.57]
10 129 ms 106 ms 105 ms p12-0.core01.jfk02.atlas.cogentco.com [66.28.4.10]
11 106 ms 105 ms 140 ms p4-0.core02.dca01.atlas.cogentco.com [66.28.4.81]
12 118 ms 118 ms 118 ms p14-0.core01.atl01.atlas.cogentco.com [66.28.4.161]
13 126 ms 127 ms 141 ms p14-0.core01.mco01.atlas.cogentco.com [66.28.4.153]
14 128 ms 146 ms 128 ms p14-0.core01.tpa01.atlas.cogentco.com [66.28.4.142]
15 145 ms 146 ms 145 ms p5-0.core01.iah01.atlas.cogentco.com [66.28.4.45]
16 134 ms 134 ms 147 ms everyonesinternet.demarc.cogentco.com [38.112.12.178]
17 135 ms 136 ms 134 ms ivhou-207-218-245-125.ev1.net [207.218.245.125]
18 140 ms 141 ms 135 ms 64.246.28.77
Trace complete.
U:\>
Tracing route to 64.246.28.77 over a maximum of 30 hops
1 3 ms 3 ms 3 ms net-liv-bskyb [192.168.10.10]
2 4 ms 1 ms 1 ms demon-gw.xxxxxxxxxx.com [xxx.xxx.xxx.xxx]
3 8 ms 8 ms 32 ms xxxxx-bstdx-1.router.demon.net [194.159.xx.xx]
4 30 ms 23 ms 26 ms lon1-backbone-2.router.demon.net [194.159.7.17]
5 30 ms 18 ms 37 ms park-inside-2-g3-0-0-s275.router.demon.net [194.70.98.161]
6 27 ms 27 ms 27 ms ams3-border-1-a1-0-s2.router.demon.net [194.70.97.90]
7 83 ms 145 ms 28 ms core01.ams03.atlas.cogentco.com [195.69.144.124]
8 47 ms 35 ms 63 ms p5-0.core01.lon01.atlas.cogentco.com [130.117.1.58]
9 106 ms 106 ms 106 ms p6-0.core01.jfk01.atlas.cogentco.com [154.54.1.57]
10 129 ms 106 ms 105 ms p12-0.core01.jfk02.atlas.cogentco.com [66.28.4.10]
11 106 ms 105 ms 140 ms p4-0.core02.dca01.atlas.cogentco.com [66.28.4.81]
12 118 ms 118 ms 118 ms p14-0.core01.atl01.atlas.cogentco.com [66.28.4.161]
13 126 ms 127 ms 141 ms p14-0.core01.mco01.atlas.cogentco.com [66.28.4.153]
14 128 ms 146 ms 128 ms p14-0.core01.tpa01.atlas.cogentco.com [66.28.4.142]
15 145 ms 146 ms 145 ms p5-0.core01.iah01.atlas.cogentco.com [66.28.4.45]
16 134 ms 134 ms 147 ms everyonesinternet.demarc.cogentco.com [38.112.12.178]
17 135 ms 136 ms 134 ms ivhou-207-218-245-125.ev1.net [207.218.245.125]
18 140 ms 141 ms 135 ms 64.246.28.77
Trace complete.
U:\>
#10
Scooby Regular
Thread Starter
Join Date: Jun 2000
Posts: 13,735
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
Ozzy,
Viewing the DNS cache (ipconfig /displaydns) shows me this:
newswww.bbc.net.uk.
------------------------------------------------------
Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
216.127.92.178
Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
64.246.28.77
Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
207.44.236.158
Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
216.40.251.1
Flushing the DNS clears it all out (ipconfig /flushdns)
Nothing in there from ipconfig /displaydns
Pinging news.bbc.co.uk
Pinging newswww.bbc.net.uk [64.246.28.77] with 32 bytes of data:
Reply from 64.246.28.77: bytes=32 time=331ms TTL=42
Reply from 64.246.28.77: bytes=32 time=380ms TTL=42
Where the smeg is it picking this address up from??? out of desperation, I've checked my hosts file!
Wieeeerd.
This is happening to colleagues in the same office and throughout the company.
I think I'm getting somewhere tho... My DNS entries in the DHCP config have been altered!
My first DNS resolver is 129.227.137.208 - that's someone on my local network.
Is there a virus around that knackers DNS????
Cheers,
Nick.
Viewing the DNS cache (ipconfig /displaydns) shows me this:
newswww.bbc.net.uk.
------------------------------------------------------
Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
216.127.92.178
Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
64.246.28.77
Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
207.44.236.158
Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
216.40.251.1
Flushing the DNS clears it all out (ipconfig /flushdns)
Nothing in there from ipconfig /displaydns
Pinging news.bbc.co.uk
Pinging newswww.bbc.net.uk [64.246.28.77] with 32 bytes of data:
Reply from 64.246.28.77: bytes=32 time=331ms TTL=42
Reply from 64.246.28.77: bytes=32 time=380ms TTL=42
Where the smeg is it picking this address up from??? out of desperation, I've checked my hosts file!
Wieeeerd.
This is happening to colleagues in the same office and throughout the company.
I think I'm getting somewhere tho... My DNS entries in the DHCP config have been altered!
My first DNS resolver is 129.227.137.208 - that's someone on my local network.
Is there a virus around that knackers DNS????
Cheers,
Nick.
#12
Scooby Regular
Thread Starter
Join Date: Jun 2000
Posts: 13,735
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
I'm checking with our network people.
It happens in offices throughout the country.
The machine with the above IP address is our local domain controller, which is performing DNS caching duties. Something has poisoned its DNS, and we're trying to work out what!
Cheers,
Nick.
It happens in offices throughout the country.
The machine with the above IP address is our local domain controller, which is performing DNS caching duties. Something has poisoned its DNS, and we're trying to work out what!
Cheers,
Nick.
#13
Scooby Regular
Thread Starter
Join Date: Jun 2000
Posts: 13,735
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
It gets better. It really does.
The active directory server guys are blaming the DNS guys. The DNS guys are saying that it's the active directory server guys.
My take is that it's got to be AD guys: the DNS thinks all is hunky dory, and the AD server is what appears first in my DNS resolution list.
I think I'll hardcode the DNS and take it from there. ***** to 'em.
I'd love to know who "learnspanishlanguage-20" is, as they are behind this. (Yup, I've googled - no joy)
Cheers,
Nick.
The active directory server guys are blaming the DNS guys. The DNS guys are saying that it's the active directory server guys.
My take is that it's got to be AD guys: the DNS thinks all is hunky dory, and the AD server is what appears first in my DNS resolution list.
I think I'll hardcode the DNS and take it from there. ***** to 'em.
I'd love to know who "learnspanishlanguage-20" is, as they are behind this. (Yup, I've googled - no joy)
Cheers,
Nick.
#15
Scooby Regular
Thread Starter
Join Date: Jun 2000
Posts: 13,735
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
Stefan,
It's definitely the AD stuff. If I perform an NSlookup, it looks up against the 3rd thing in my DNS resolver list from DHCP, and gives me a valid IP address for news.bbc.co.uk . The first two are AD servers local to us.
It's as if the first AD server has been poisoned somehow. Truly wierd.
Cheers,
Nick.
It's definitely the AD stuff. If I perform an NSlookup, it looks up against the 3rd thing in my DNS resolver list from DHCP, and gives me a valid IP address for news.bbc.co.uk . The first two are AD servers local to us.
It's as if the first AD server has been poisoned somehow. Truly wierd.
Cheers,
Nick.
#17
Scooby Regular
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
Everything is stored in AD now - well it uses it to query other services WINS, DNS, etc.. AFAIK, you can't just point the DNS entries on a local PC (or via DHCP) to a server that's only running AD. The AD server would have to run a local DNS server service. Given that they are both inter-linked I find it very strange that the local copy of the DNS cache would report the correct address, yet any queries would return a bogus one.
Stefan
Stefan
#18
Scooby Regular
Thread Starter
Join Date: Jun 2000
Posts: 13,735
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
Tell me about it ![Big Grin](https://www.scoobynet.com/images/smilies/biggrin.gif)
All working well now - I've set my TCP/IP settings to use the "master" company DNS, and all works well. Everyone using the local AD for resolution is still seeing the problem.
Only last question is: who the **** is learnspanishlanguage-20!
Cheers,
Nick.
![Big Grin](https://www.scoobynet.com/images/smilies/biggrin.gif)
All working well now - I've set my TCP/IP settings to use the "master" company DNS, and all works well. Everyone using the local AD for resolution is still seeing the problem.
Only last question is: who the **** is learnspanishlanguage-20!
Cheers,
Nick.
#19
Scooby Regular
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
If I google it, it returns this hit
http://download.alexa.com/index.cgi?...ishlanguage-20
Whatever that tell us
http://download.alexa.com/index.cgi?...ishlanguage-20
Whatever that tell us
![Confused](https://www.scoobynet.com/images/smilies/confused.gif)
#20
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
Am i the only one that finds it strange that you call all ping outside addresses?
We block pings.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
P:\>ping news.bbc.co.uk
Pinging newswww.bbc.net.uk [212.58.226.40] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 212.58.226.40:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
P:\>
P:\>nslookup news.bbc.co.uk
Server: xxxxxxxxxx.xxxxxxx-xx.com
Address: 10.0.0.32
Non-authoritative answer:
Name: newswww.bbc.net.uk
Address: 212.58.226.40
Aliases: news.bbc.co.uk
P:\>
We block pings.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
P:\>ping news.bbc.co.uk
Pinging newswww.bbc.net.uk [212.58.226.40] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 212.58.226.40:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
P:\>
P:\>nslookup news.bbc.co.uk
Server: xxxxxxxxxx.xxxxxxx-xx.com
Address: 10.0.0.32
Non-authoritative answer:
Name: newswww.bbc.net.uk
Address: 212.58.226.40
Aliases: news.bbc.co.uk
P:\>
#21
Scooby Regular
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
I'd ask them if that local AD server is also hosting DNS. If so, simplest solution is to clear it's cache and get it to re-learn from the other internal DNS servers.
Stefan
Stefan
#22
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
Am i the only one that finds it strange that you call all ping outside addresses?
We block pings.
We block pings.
#23
Scooby Regular
Thread Starter
Join Date: Jun 2000
Posts: 13,735
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
We block incoming pings. I can think of no valid reason whatsoever to block outgoing pings.
Stefan, cheers for the tip. I think we want to get to the bottom of exactly how this happened, and who the amazon associate is, as it really does appear like an exploit of some form or other.
Cheers,
nick.
Stefan, cheers for the tip. I think we want to get to the bottom of exactly how this happened, and who the amazon associate is, as it really does appear like an exploit of some form or other.
Cheers,
nick.
#24
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
One of the recent worms/virus created loads of ICMP traffic - we had to filter at mutiple points to stop it killing firewalls and prevent it hitting the net. (Network Service provider so desktop AV etc not in our scope)
Its a right PITA not being able to ping out.
Deano
Its a right PITA not being able to ping out.
Deano
#25
Scooby Regular
![Default](https://www.scoobynet.com/images/icons/icon1.gif)
David,
All depends on your assessment of the risks to your own network. We block everything on the LAN, but I have rules configured to masquerade ICMP from my workstation to our Internet zone. We block ICMP on the firewall itself, so you can't ping our public IP address.
Obviously the best defense is to block absoluetely everything, then just allow the minimum services.
Stefan
All depends on your assessment of the risks to your own network. We block everything on the LAN, but I have rules configured to masquerade ICMP from my workstation to our Internet zone. We block ICMP on the firewall itself, so you can't ping our public IP address.
Obviously the best defense is to block absoluetely everything, then just allow the minimum services.
Stefan
Thread
Thread Starter
Forum
Replies
Last Post
DazV
Computer & Technology Related
18
07 October 2002 10:24 AM
BrownDot
Computer & Technology Related
3
22 January 2002 03:00 PM