DNS CACHE POISONING? - Our Portal is redirecting to our first competition

Hello guys, we have a social network that is getting stronger, but we are having an issue.

And the issue is that Sometimes... our page redirects to another Portal, actually the page that redirects is our first competition,here in Latino America, i know that they are causing that kind of mess.. so we thought in this.

- We know that our DNS server is ok, and havent been compromised,
- DNS cache poisoning
- Malware ?
- some kind of virus that the guys(bad) made. ( the other portal - social network-)

- Other soolution? sue them?

HElp guys.. this thing is taking out alot of users :(

thanks in advance!

Cheers from México

On 22 Jan 2008 00:55:30 -0000,  <ponchovaldes@...> wrote:
You have provided too little information for anyone to really help.
1) What is your website's architecture?
 A) What kind of OS on the servers
 B) What kind of software on the servers
 C) Is it hosted on dedicated hardware or on a third party software
 D) Do you use some sort of 3rd party software to get to your page (eg
you rely on a company to send customers to your page.)
2) What do you mean by redirect. In small steps explain how a user
normally gets to and sees your site and what happens when it doesnt
work

That might be enough info for someone to start helping out (although
to really help someone would need to know where the site is etc.)


--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

On Jan 22, 2008 1:19 PM, Alfonso Valdes Carrales <ponchovaldes@...> wrote:
One thing I have learned is that in 99% of the cases the other company
is not the cause.. or "Do not blame to malice of your competitor when
there are 4 billion teenagers who think doing this sort of prank is
fun, interesting, cool, etc."

I can't get it to happen at this time from my area.. so I really don't
know what is going on.


--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

Alfonso,
        How are you certain they are being redirected by resources not in
your control? Are you certain the page being loaded is, in fact, your
competitors page and not a phishing site? Have you been able to reproduce
this or are users emailing with complaints? For the users that are
complaining of being redirected, are they experiencing any other issues with
their accounts? This may help narrow where the redirect is actually
occurring.

 
Regards,
 
 
A.J. Rembert
arembert@...
Ph. 607-722-3979     Fx. 607-722-7128
Samscreen, Inc. / PSSI
216 Broome Corporate Pkwy
Conklin, NY 13748
 
 
 
This message is intended for the use of the individual or entity to which it
is addressed, and may contain information that is privileged, confidential
and exempt from disclosure under applicable law. If the reader of this
message is not the intended recipient, or the employee or agent responsible
for delivering the message to the intended recipient, you are hereby
notified that any dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by e-mail or telephone
and delete the original message without making a copy. Thank you for your
cooperation and assistance.

-----Original Message-----
From: Stephen John Smoogen [mailto:smooge@...]
Sent: Tuesday, January 22, 2008 4:00 PM
To: Alfonso Valdes Carrales
Cc: incidents@...
Subject: Re: DNS CACHE POISONING? - Our Portal is redirecting to our first
competition

On Jan 22, 2008 1:19 PM, Alfonso Valdes Carrales <ponchovaldes@...>
wrote:
>
>
> 2008/1/22, Stephen John Smoogen <smooge@...>:
> > On 22 Jan 2008 00:55:30 -0000,  <ponchovaldes@...> wrote:
> > > Hello guys, we have a social network that is getting stronger, but we
> are having an issue.
> > >
> > >
> > > And the issue is that Sometimes... our page redirects to another
Portal, 10%
> of the times  if you type www.unibicate.com and hit ENTER, it redirects or
> goes to the page of sonico.com   (this is another social network). Of
> course sonico.com  is causing this mess.
>  If the page works fine, it just displays the page of unibicate and just
log
> in.. as a normal Social network.
>

One thing I have learned is that in 99% of the cases the other company
is not the cause.. or "Do not blame to malice of your competitor when
there are 4 billion teenagers who think doing this sort of prank is
fun, interesting, cool, etc."

I can't get it to happen at this time from my area.. so I really don't
know what is going on.


--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

On Tue, 2008-01-22 at 14:00 -0700, Stephen John Smoogen wrote:
> I can't get it to happen at this time from my area.. so I really don't
> know what is going on.

Nope, neither can I. Digging directly against the authoritative servers
for the domain gives consistent results every time, and querying a
variety of other resolvers I have client access to is the same.

Both authoritative servers report the same SOA serial number, as do the
other resolvers I can query.

Does this only happen when your users are logged in?

Graeme

We have a similar problem on one of our co-location servers:

- centos5 i386
- apache 2.2.3-11.el5.centos (2.2.6 backport)
- php 5.2.5 (compiled from source)

The issue appears at random..   when it is present, a request to the
web server will respond with a redirect to a spyware or malware
download site.   This will continue to redirect 10% of the traffic to
the box until httpd is restarted.  The redirection script is not found
in any file on the server filesystem and believed to be injected into
the response stream via a compromised httpd process in memory.

This issue was happening on the same box when It used to be apache
2.0.56, php 5.1.0 running redhat 9.  upgrading the distribution,
apache, php etc has so far not resolved the issue.

At this point we are upgrading to apache 2.2.3-11.el5.centos.3 (2.2.8
backport) in hopes that the recent security patches in this build
relating to XSS will solve the issue.

I would really like to find the source of the problem, though.

-Jeff


On 22 Jan 2008 00:55:30 -0000,  <ponchovaldes@...> wrote:

Hi

Some questions you need to ask yourself.

Maybe one of the proxy servers got poisoned and not the DNS server?

Maybe it's a HTTP Response Splitting attack?

We have seen a similar issue awhile ago and it was caused by a mistake of a developer and not by malicious activity...

Is it from several different locations or from a single location? Try to reach your site using web proxies and see if you still get the same problem so you know for sure the problem is on your servers.

Do you have any substantial evidence as to who has done it?

Best Regards,

Boaz Shunami

Comsec Consulting

-----Original Message-----
From: ponchovaldes@... [mailto:ponchovaldes@...]
Sent: Tuesday, January 22, 2008 2:56 AM
To: incidents@...
Subject: eSafe quarantine: DNS CACHE POISONING? - Our Portal is redirecting to our first competition

Hello guys, we have a social network that is getting stronger, but we are having an issue.



And the issue is that Sometimes... our page redirects to another Portal, actually the page that redirects is our first competition,here in Latino America, i know that they are causing that kind of mess.. so we thought in this.



- We know that our DNS server is ok, and havent been compromised,

- DNS cache poisoning

- Malware ?

- some kind of virus that the guys(bad) made. ( the other portal - social network-)



- Other soolution? sue them?



HElp guys.. this thing is taking out alot of users :(



thanks in advance!



Cheers from México
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************

On Jan 22, 2008 8:04 PM, Jeff Plewes <plewes@...> wrote:
Hmmm I wonder if its related to the Javascript hack that people have
been seeing at isc.sans.org and other places.

http://isc.sans.org/diary.html?date=2008-01-18


--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

Burn the box, re-install an OS fresh from verified source, install the
apache and PHP from known source and then bring back the source for
the web site after verifying it by hand. This is a known trojan, and
it is in memory, but it's initialised from the server drive somewhere.

Gary B




Jeff Plewes wrote: are having an issue.
>>
>>
>> And the issue is that Sometimes... our page redirects to another
Portal, actually the page that redirects is our first competition,here
in Latino America, i know that they are causing that kind of mess.. so
we thought in this.
>>
>>
>> - We know that our DNS server is ok, and havent been compromised,
>>
>> - DNS cache poisoning
>>
>> - Malware ?
>>
>> - some kind of virus that the guys(bad) made. ( the other portal -
social network-)

* Jeff Plewes:

> This issue was happening on the same box when It used to be apache
> 2.0.56, php 5.1.0 running redhat 9.  upgrading the distribution,
> apache, php etc has so far not resolved the issue.

It could be something afoul with the network on which the machine is
located.  Have you check this?  For instance, does it provide proper L3
separation among different customers?

To clarify on some facts:

- yes the box was burned (brand new hardware..  fresh install centos5,
minimal packages)..  Only the virtualhost data was migrated.
- updates done via yum package manager with default sources
- php compiled from source from ca3.php.net
- there are about 40 customers on this box with virtualhosts
- all machines behind the firewall on the public vlan are ours
- DNS is also housed by us..  1st and 2nd on Bind 9.

1) If restarting httpd temporarily(days) resolves the problem..  then
DNS is not the issue.
2) No proxy servers between client where problem is noticed and server
which is compromised.
3) If the problem existed before with another disto, php and apache
version....   then it must be customer data which can be exploited
remotely?

Time to go through each customer and find the offender.

-Jeff

On Jan 23, 2008 5:11 PM, Florian Weimer <fw@...> wrote:

Hello Jeff,

Probably the same Linux rootkit [1]. Do you also see the 5-letter JS
file inclusion [2] on your pages? It appears right after the HTML
<body> tag.

[1] http://www.cpanel.net/security/notes/random_js_toolkit.html>
[2] <script language='JavaScript' type='text/javascript'
src='cbolw.js'></script>

   Ed <http://blog.eonsec.com>

On Jan 23, 2008 11:04 AM, Jeff Plewes <plewes@...> wrote:

There are some reports of a large scale web site compromise where
thousands of sites are affected.  Currently, info is limited but it
looks like the Apache daemon is compomised thus your web page files
are unchanged.  This is known to affect shared hosting environments
but it doesn't have to be limited to that.

Another possiblity is ARP cache poisoning, either at the client side
(you) or the server side.
Here's a good write up on this attack vector:
http://www.websense.com/securitylabs/blog/blog.php?BlogID=166

---
dxp

On 22 Jan 2008 00:55:30 -0000,  <ponchovaldes@...> wrote:

Interesting Slashdot discussion today involving DNS redirection on home
routers in Mexico via a "drive-by".  Very similar symptoms, from the
web-site visitor's perspective...

http://it.slashdot.org/it/08/01/22/2259211.shtml
http://www.networkworld.com/news/2008/012208-drive-by-pharming.html

-- Mark

On 22 Jan 2008 00:55:30 -0000,  <ponchovaldes@...> wrote:
> Hello guys, we have a social network that is getting stronger, but we are having an issue.
>
>
> And the issue is that Sometimes... our page redirects to another Portal, actually the page that redirects is our first competition,here in Latino America, i know that they are causing that kind of mess.. so we thought in this.
>

>
>
> thanks in advance!
>
>
> Cheers from México
>

Hi,

Have you think on pharming on a component different from your DNS. Router ?
Symantec released a post in its blog describing drive-by-pharming
attacks on routers used in Mexico, this could be your problem.
http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.html

Regards

David Bizeul

ARP poisoning is only possible in a subnet. Since this system is
probably located somewhere on the internet, I'm sure that there is a
router somewhere in the path from the source to destination.
I don't think ARP cache poisoning is the problem here, unless client
and server are in the same subnet.

On Jan 24, 2008 5:05 AM, dxp <dxp2532@...> wrote:


--
Ronald van der Westen

Read the Websense report carefully.

Sent via BlackBerry from T-Mobile

-----Original Message-----
From: "Ronald van der Westen" <rvdwesten@...>

Date: Fri, 25 Jan 2008 13:31:59
To:dxp <dxp2532@...>
Cc:ponchovaldes@..., incidents@...
Subject: Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition


ARP poisoning is only possible in a subnet. Since this system is
probably located somewhere on the internet, I'm sure that there is a
router somewhere in the path from the source to destination.
I don't think ARP cache poisoning is the problem here, unless client
and server are in the same subnet.

On Jan 24, 2008 5:05 AM, dxp <dxp2532@...> wrote:


--
Ronald van der Westen

On ven, 2008-01-25 at 13:31 +0100, Ronald van der Westen wrote:
> I don't think ARP cache poisoning is the problem here, unless client
> and server are in the same subnet.

Not necessarily.
Sitting on one of them subnet is way sufficient. More generally, you
need to be somewhere on the path between your two targets to perform a
traffic redirection. As routers and firewalls can be poisoned as any
other node and as they act as gateways, they are all the more
interesting targets.


--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Update,

The problem box:
- centos 5 base, updated via yum from default repository.
- httpd 2.2.3-11.el5_1.centos.3 (2.2.8 backport?)
- php 5.2.5 compiled from source
- courier-authlib 0.60.2 compiled from source
- courier-imap-4.3.0 compiled from source
- exim 4.69 compiled from source
- proftpd 1.3.1 compiled from source

I have no control panel of any sort installed.

The box was running RH9.. had the issue.. formatted and replaced with
fresh install of centos 5... copied over customer vhosts..

Gets hit again within days.

ports open = 20,21,22,25,80,110,143,443 + pasv port range for ftp

I have many other hosts in the datacenter with various configurations
but all would have had the same apache, php, ssh, ssl versions as this
box before at RH9. None of them have been hit.. none of them however,
contain exim, courier, or proftpd

Im starting to lean towards these packages as a possible entry-point
for the trojan?

And no its not ARP or DNS poisoning nor router or proxy problems.

-Jeff


On Jan 25, 2008 1:00 PM, Cedric Blancher <blancher@...> wrote:

david bizeul wrote:
> On 22 Jan 2008 00:55:30 -0000,  <ponchovaldes@...> wrote:
>> Hello guys, we have a social network that is getting stronger, but we are having an issue.

Hi,

A thoughts.
1) Start with the logs -- what do they show?
    Do you actually see redirects in the Apache logs?
    What do your BIND NS logs show? If you don't have query logging on, turn it on!
2) Run process accounting. Do the numbers add up? If not, you may have a rootkit. PA
    may also be able to show a rogue process, such as a Trojan.
3) Run an independently built, statically linked lsof. Do you have processes without
    filenames? Do you see processes that 'ps -ef' miss? Anything else 'strange' in
    the output?
4) Sniff the network from another box that is in the same collision domain -- and
    one without an IP address. (Put a true hub between your suspect box and the net,
    then sniff hub traffic.)
5) Run arpwatch, again preferably from another box on the collision domain.

Hope this helps.

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494






==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.