chiark

Hi all,

Wierd one this - happening throughout the office.

news.bbc.co.uk is resolving to a skin of what appears to be Amazon.
If I check out, I get redirected to the amazon checkout process with associate-id=learnspanishlanguage-20 tacked onto the end of the URL.

bbc.co.uk is fine. The links to news.bbc.co.uk take you to the shopping site!

Anyone else getting this, or is it local to our company?

Cheers,
Nick.

Stueyb

Tis fine here on our uunet dns and pipe

chiark

Very very wierd.

Could you let me know what IP address news.bbc.co.uk resolves to?

(Sorry to be a pain - help is appreciated)

JV

212.58.226.30 here, and it works fine...

ozzy

Yep, same IP address resolved with our ISP - demon. Website works fine too.

Which ISP are you using Nick? Have you tried pointing to another name server?

Stefan

ChrisB

My results:

C:\>ping news.bbc.co.uk

Pinging newswww.bbc.net.uk [212.58.226.40] with 32 bytes of data:

Reply from 212.58.226.40: bytes=32 time=16ms TTL=117

chiark

This is our corporate connection. We run our own nameservers, and nslookup is firewalled within the company so I'm pretty much blind.

news.bbc.co.uk resolves to
C:\WINNT>ping news.bbc.co.uk

Pinging newswww.bbc.net.uk [64.246.28.77] with 32 bytes of data:

Reply from 64.246.28.77: bytes=32 time=380ms TTL=42
Reply from 64.246.28.77: bytes=32 time=401ms TTL=42
Reply from 64.246.28.77: bytes=32 time=361ms TTL=42
Reply from 64.246.28.77: bytes=32 time=370ms TTL=42

Ping statistics for 64.246.28.77:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 361ms, Maximum = 401ms, Average = 378ms

Wierd.

ozzy

Can you not just delete the cached entry from the nameservers and get them to perform another lookup?

Your name servers must be contacting one of the main ISP servers, so either the cahed entry is bogus (can you check the entry) or the forwarding servers (correct terminology) is returning a bogus address.

I'm sure the BBC will use some clustered boxes and virtual IP addressing to have some redundancy. Can you browse to the correct IP addresses?

Stefan

ozzy

U:\>tracert 64.246.28.77

Tracing route to 64.246.28.77 over a maximum of 30 hops

1 3 ms 3 ms 3 ms net-liv-bskyb [192.168.10.10]
2 4 ms 1 ms 1 ms demon-gw.xxxxxxxxxx.com [xxx.xxx.xxx.xxx]
3 8 ms 8 ms 32 ms xxxxx-bstdx-1.router.demon.net [194.159.xx.xx]
4 30 ms 23 ms 26 ms lon1-backbone-2.router.demon.net [194.159.7.17]
5 30 ms 18 ms 37 ms park-inside-2-g3-0-0-s275.router.demon.net [194.70.98.161]
6 27 ms 27 ms 27 ms ams3-border-1-a1-0-s2.router.demon.net [194.70.97.90]
7 83 ms 145 ms 28 ms core01.ams03.atlas.cogentco.com [195.69.144.124]
8 47 ms 35 ms 63 ms p5-0.core01.lon01.atlas.cogentco.com [130.117.1.58]
9 106 ms 106 ms 106 ms p6-0.core01.jfk01.atlas.cogentco.com [154.54.1.57]
10 129 ms 106 ms 105 ms p12-0.core01.jfk02.atlas.cogentco.com [66.28.4.10]
11 106 ms 105 ms 140 ms p4-0.core02.dca01.atlas.cogentco.com [66.28.4.81]
12 118 ms 118 ms 118 ms p14-0.core01.atl01.atlas.cogentco.com [66.28.4.161]
13 126 ms 127 ms 141 ms p14-0.core01.mco01.atlas.cogentco.com [66.28.4.153]
14 128 ms 146 ms 128 ms p14-0.core01.tpa01.atlas.cogentco.com [66.28.4.142]
15 145 ms 146 ms 145 ms p5-0.core01.iah01.atlas.cogentco.com [66.28.4.45]
16 134 ms 134 ms 147 ms everyonesinternet.demarc.cogentco.com [38.112.12.178]
17 135 ms 136 ms 134 ms ivhou-207-218-245-125.ev1.net [207.218.245.125]

18 140 ms 141 ms 135 ms 64.246.28.77

Trace complete.

U:\>

chiark

Ozzy,

Viewing the DNS cache (ipconfig /displaydns) shows me this:
newswww.bbc.net.uk.
------------------------------------------------------
Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
216.127.92.178

Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
64.246.28.77

Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
207.44.236.158

Record Name . . . . . : newswww.bbc.net.uk
Record Type . . . . . : 1
Time To Live . . . . : 24138
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
216.40.251.1


Flushing the DNS clears it all out (ipconfig /flushdns)
Nothing in there from ipconfig /displaydns

Pinging news.bbc.co.uk
Pinging newswww.bbc.net.uk [64.246.28.77] with 32 bytes of data:

Reply from 64.246.28.77: bytes=32 time=331ms TTL=42
Reply from 64.246.28.77: bytes=32 time=380ms TTL=42


Where the smeg is it picking this address up from??? out of desperation, I've checked my hosts file!

Wieeeerd.

This is happening to colleagues in the same office and throughout the company.

I think I'm getting somewhere tho... My DNS entries in the DHCP config have been altered!

My first DNS resolver is 129.227.137.208 - that's someone on my local network.


Is there a virus around that knackers DNS????

Cheers,
Nick.

ChrisB

Somebody messed with your DCHP scope then?

chiark

I'm checking with our network people.

It happens in offices throughout the country.

The machine with the above IP address is our local domain controller, which is performing DNS caching duties. Something has poisoned its DNS, and we're trying to work out what!

Cheers,
Nick.

chiark

It gets better. It really does.

The active directory server guys are blaming the DNS guys. The DNS guys are saying that it's the active directory server guys.

My take is that it's got to be AD guys: the DNS thinks all is hunky dory, and the AD server is what appears first in my DNS resolution list.

I think I'll hardcode the DNS and take it from there. ***** to 'em.

I'd love to know who "learnspanishlanguage-20" is, as they are behind this. (Yup, I've googled - no joy)

Cheers,
Nick.

ozzy

Edited. Posted before your update.

chiark

Stefan,

It's definitely the AD stuff. If I perform an NSlookup, it looks up against the 3rd thing in my DNS resolver list from DHCP, and gives me a valid IP address for news.bbc.co.uk . The first two are AD servers local to us.

It's as if the first AD server has been poisoned somehow. Truly wierd.

Cheers,
Nick.

ChrisB

I'm having a chuckle at reading the AD guys blaming DNS and vice versa

ozzy

Everything is stored in AD now - well it uses it to query other services WINS, DNS, etc.. AFAIK, you can't just point the DNS entries on a local PC (or via DHCP) to a server that's only running AD. The AD server would have to run a local DNS server service. Given that they are both inter-linked I find it very strange that the local copy of the DNS cache would report the correct address, yet any queries would return a bogus one.

Stefan

chiark

Tell me about it

All working well now - I've set my TCP/IP settings to use the "master" company DNS, and all works well. Everyone using the local AD for resolution is still seeing the problem.

Only last question is: who the **** is learnspanishlanguage-20!

Cheers,
Nick.

ozzy

If I google it, it returns this hit

http://download.alexa.com/index.cgi?...ishlanguage-20

Whatever that tell us

David_Wallis

Am i the only one that finds it strange that you call all ping outside addresses?

We block pings.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

P:\>ping news.bbc.co.uk

Pinging newswww.bbc.net.uk [212.58.226.40] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 212.58.226.40:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

P:\>

P:\>nslookup news.bbc.co.uk
Server: xxxxxxxxxx.xxxxxxx-xx.com
Address: 10.0.0.32

Non-authoritative answer:
Name: newswww.bbc.net.uk
Address: 212.58.226.40
Aliases: news.bbc.co.uk


P:\>

ozzy

I'd ask them if that local AD server is also hosting DNS. If so, simplest solution is to clear it's cache and get it to re-learn from the other internal DNS servers.

Stefan

ChrisB

Support plenty of kit outside our LAN, so need to be able to ping here, there and everywhere.

chiark

We block incoming pings. I can think of no valid reason whatsoever to block outgoing pings.

Stefan, cheers for the tip. I think we want to get to the bottom of exactly how this happened, and who the amazon associate is, as it really does appear like an exploit of some form or other.

Cheers,
nick.

dsmith

One of the recent worms/virus created loads of ICMP traffic - we had to filter at mutiple points to stop it killing firewalls and prevent it hitting the net. (Network Service provider so desktop AV etc not in our scope)

Its a right PITA not being able to ping out.

Deano

ozzy

David,

All depends on your assessment of the risks to your own network. We block everything on the LAN, but I have rules configured to masquerade ICMP from my workstation to our Internet zone. We block ICMP on the firewall itself, so you can't ping our public IP address.

Obviously the best defense is to block absoluetely everything, then just allow the minimum services.

Stefan