Alfonso,
How are you certain they are being redirected by resources not in
your control? Are you certain the page being loaded is, in fact, your
competitors page and not a phishing site? Have you been able to reproduce
this or are users emailing with complaints? For the users that are
complaining of being redirected, are they experiencing any other issues with
their accounts? This may help narrow where the redirect is actually
occurring.
Regards,
A.J. Rembert
arembert@samscreen.com
Ph. 607-722-3979 Fx. 607-722-7128
Samscreen, Inc. / PSSI
216 Broome Corporate Pkwy
Conklin, NY 13748
This message is intended for the use of the individual or entity to which it
is addressed, and may contain information that is privileged, confidential
and exempt from disclosure under applicable law. If the reader of this
message is not the intended recipient, or the employee or agent responsible
for delivering the message to the intended recipient, you are hereby
notified that any dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by e-mail or telephone
and delete the original message without making a copy. Thank you for your
cooperation and assistance.
-----Original Message-----
From: Stephen John Smoogen [mailto:smooge@gmail.com]
Sent: Tuesday, January 22, 2008 4:00 PM
To: Alfonso Valdes Carrales
Cc: incidents@securityfocus.com
Subject: Re: DNS CACHE POISONING? - Our Portal is redirecting to our first
competition
On Jan 22, 2008 1:19 PM, Alfonso Valdes Carrales <ponchovaldes@gmail.com>
wrote:
2008/1/22, Stephen John Smoogen <smooge@gmail.com>:
On 22 Jan 2008 00:55:30 -0000, <ponchovaldes@gmail.com> wrote:
Hello guys, we have a social network that is getting stronger, but we
are having an issue.
And the issue is that Sometimes... our page redirects to another
Portal,
actually the page that redirects is our first competition,here in Latino
America, i know that they are causing that kind of mess.. so we thought in
this.
- We know that our DNS server is ok, and havent been compromised,
- DNS cache poisoning
- Malware ?
- some kind of virus that the guys(bad) made. ( the other portal -
social network-)
You have provided too little information for anyone to really help.
1) What is your website's architecture?
A) What kind of OS on the servers
B) What kind of software on the servers
C) Is it hosted on dedicated hardware or on a third party software
D) Do you use some sort of 3rd party software to get to your page (eg
you rely on a company to send customers to your page.)
One box virtualized with XEN that has centos, the website virtualized
(apache), db(mysql) and the mailserver have DEBIAN also virtualized .
(dedicated hardware that each sservice is separated in one virtual server
but consolidated)
The DNS server is out side, another dedicated server using BIND9 - not
using any kind of third party software
2) What do you mean by redirect. In small steps explain how a user
normally gets to and sees your site and what happens when it doesnt
work
User wants to access: www.unibicate.com AND sometimes... maybe the
10%
of the times if you type www.unibicate.com and hit ENTER, it redirects or
goes to the page of sonico.com (this is another social network). Of
course sonico.com is causing this mess.
If the page works fine, it just displays the page of unibicate and just
log
in.. as a normal Social network.
One thing I have learned is that in 99% of the cases the other company
is not the cause.. or "Do not blame to malice of your competitor when
there are 4 billion teenagers who think doing this sort of prank is
fun, interesting, cool, etc."
I can't get it to happen at this time from my area.. so I really don't
know what is going on.
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
