Lking Posted December 13, 2008 Share Posted December 13, 2008 Sometime Thursday night the address for www.StarBand[dot]net got hijacked and now points to a site full of links to sedoparking[dot]com. They (sedoparking) has actually updated their page (changed pictures, links) during the last 24 hours. The WhoIs for starband was changed Thursday when I first looked and again Friday >>> Last update of whois database: Fri, 12 Dec 2008 16:29:11 UTC << The real www.starband[dot]net pages should look like 148.78.247.61 This of course affects logging into my account from the web side, email can't be delivered to xxx[at]starband[dot]net. From the satellite side all look/acts normal. How long does it take to get all the DNS tables updated? (I know that sounds like, 'how long is the string?') Don't I remember a major site being hijacked last week? Looking for an education. This has always been one of those things that 'just worked.' Now that it affects me... Link to comment Share on other sites More sharing options...
DavidT Posted December 13, 2008 Share Posted December 13, 2008 The real www.starband[dot]net pages should look like 148.78.247.61 It looks correct from here. Rather than some sort of DNS poisoning/hijacking, it sounds like someone hacked into the domain administration login at the registrar and changed the nameserver info, then someone perhaps changed it back. But the whois info, although somewhat protected by a privacy feature, seems to indicate involvement of a company in Portugal....is that bogus? If so, StarBand needs to get with Registrar.com and straighten this out. DT Link to comment Share on other sites More sharing options...
Farelf Posted December 13, 2008 Share Posted December 13, 2008 I got the sedoparking data/page (and popup ad) on my first attempt to go to www.StarBand.net but subsequently (also when using the literal address 148.78.247.61) I get a "You are not authorized to view this page" with the code "HTTP 403.6 - Forbidden: IP address rejected." Lookups get alternating data: C:\Documents and Settings\Steve>nslookup StarBand.net ... Non-authoritative answer: Name: StarBand.net Address: 216.36.248.134 C:\Documents and Settings\Steve>whosip 216.36.248.134 WHOIS Source: ARIN IP Address: 216.36.248.134 Country: USA - Illinois Network Name: HOSTWAY-04 Owner Name: Hostway Corporation From IP: 216.36.192.0 To IP: 216.36.255.255 Allocated: Yes Contact Name: Hostway Corporation Address: 1 N. State St., Chicago Email: noc[at]hostway.com Abuse Email: Phone: +1-312-994-7690 Fax: C:\Documents and Settings\Steve>nslookup StarBand.net ... Non-authoritative answer: Name: StarBand.net Address: 148.78.247.61 C:\Documents and Settings\Steve>whosip 148.78.247.61 WHOIS Source: ARIN IP Address: 148.78.247.61 Country: USA - Virginia Network Name: STARBAND Owner Name: Starband Communications, Inc. From IP: 148.78.0.0 To IP: 148.78.255.255 Allocated: Yes Contact Name: Starband Communications, Inc. Address: 1750 Old Meadow Road, Suite 700, McLean Email: netadmin[at]starband.net Abuse Email: abuse[at]starband.com Phone: +1-703-245-6441 Fax: C:\Documents and Settings\Steve> Looks like the Starband DNS records are in transition all right, but I can't tell which way they're going or how quickly. Link to comment Share on other sites More sharing options...
Wazoo Posted December 13, 2008 Share Posted December 13, 2008 Sometime Thursday night the address for www.StarBand[dot]net got hijacked and now points to a site full of links to sedoparking[dot]com. The WhoIs for starband was changed Thursday when I first looked and again Friday >>> Last update of whois database: Fri, 12 Dec 2008 16:29:11 UTC << The real www.starband[dot]net pages should look like 148.78.247.61 There could be another explanation (although it does take a bit of a reach of faith ...???) WHOIS still shows; DNS Servers: ns1-mclcorp.starband.com ns2-mclcorp.starband.com Slow traceroute starband.net Trace starband.net (216.36.248.134) ... Fetching http://starband.net/ ... Host: starband.net HTTP/1.1 200 OK Date: Sat, 13 Dec 2008 15:47:21 GMT Server: Apache frameset rows="*,100%"><frame scrolling="no" frameborder="0" noresize src=""><frame scrolling="auto" frameborder="0" src="http://sedoparking.com/starband.net/?registrar=House1"></frameset> Seems strange that the IP Address would change but the DNS would remain at the 'same' servers .... It could be as simple as the fees for hosting of the .net page hadn't been paid. The strech for me on that would come from; IP block 148.78.254.30 Spacenet, Inc. SPACENET-SPAN (NET-148-62-0-0-1) 148.62.0.0 - 148.78.255.255 Starband Communications, Inc. STARBAND (NET-148-78-0-0-1) 148.78.0.0 - 148.78.255.255 It sure seems that they could afford to (continue) to self-host their own page ...??? This of course affects logging into my account from the web side, email can't be delivered to xxx[at]starband[dot]net. From the satellite side all look/acts normal. How long does it take to get all the DNS tables updated? (I know that sounds like, 'how long is the string?') From all appearances, I'd believe that you should be able to get to the previous content at starband.com ... folks there reference providing/supporting Spacenet Inc. provides StarBand two-way, always-on, high-speed satellite Internet service to small office / home office (SOHO) and small business customers. Link to comment Share on other sites More sharing options...
DavidT Posted December 13, 2008 Share Posted December 13, 2008 Trace starband.net (216.36.248.134) ... But that's not the IP I get using a lot of various server and web-based tools all over the net. I get the proper IP of 148.78.247.61 every time. For example, try the tool at: http://www.zoneedit.com/lookup.html I was able to hit the correct page from the command lines of three different servers I just logged in to all over the US, and from browsers on my computer and another at work that I just remotely connected to. The "216." IP was probably what was being distributed before the nameservers got changed back to the proper values, and it's on a Hostway box that seems to have mostly parked pages. DT Link to comment Share on other sites More sharing options...
Wazoo Posted December 14, 2008 Share Posted December 14, 2008 But that's not the IP I get using a lot of various server and web-based tools all over the net. I get the proper IP of 148.78.247.61 every time. Changed to an OpenDNS server, now also showing; 12/13/08 22:36:16 Slow traceroute starband.net Trace starband.net (148.78.247.61) ... My ISP uses AT&T for its resources, so assumedly there is some DNS propogation delay still in the works. On the other hand, I do have to note that; Browsing http://starband.net/ Fetching http://starband.net/ ... GET / HTTP/1.1 Host: starband.net HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 The Moved / direct path needs to be http://starband.net/home.asp and looking at that code, my previous suggestion of hitting the .com site certainly appears not to be a direct replacement. Link to comment Share on other sites More sharing options...
Farelf Posted December 14, 2008 Share Posted December 14, 2008 Interesting - I still get the "You are not authorized" when trying to connect on any of the above but http://starband.net.nyud.net:8080/home.asp works, looks real (same as http://starband.net/home.asp via proxy). Link to comment Share on other sites More sharing options...
Lking Posted December 14, 2008 Author Share Posted December 14, 2008 Excuse me for dumping a question and not being involved in the discussion. Life got in the way. Two days of providing sound reinforcement for an outside town Holiday Market is occupying my this weekend. I'm getting to old for this level of effort. I knew I (you) could not tell what was going on, after the fact, thus the post and run. My DSL STMP has returned the test email, from DSL to [at]starband.net. I agree it does seem odd that starband/SPACENET can't afford their own server. I did notice that the street addresses of sedoparking are in Georgia close to the NOC. Thanks for the dissection. Will digest the information when I recover. {Edit} Doesn't look like the email is working. What I get when I send from DSL to starband.net is: ----- The following addresses had permanent fatal errors ----- <xxxx[at]starband.net> (reason: 553 5.3.0 <xxxx[at]starband.net>... Email rejected because of UCE from 207.192.128.31. Listed by http://www.starband.net/removalrequest/def...207.192.128.31) ----- Transcript of session follows ----- ... while talking to smtp.starband.net.: >>> >>> DATA <<< 553 5.3.0 <xxxx[at]starband.net>... Email rejected because of UCE from 207.192.128.31. Listed by http://www.starband.net/removalrequest/def...=207.192.128.31 550 5.1.1 <xxxx[at]starband.net>... User unknown <<< 503 5.0.0 Need RCPT (recipient) Link to comment Share on other sites More sharing options...
Lking Posted December 16, 2008 Author Share Posted December 16, 2008 This is surely a case of, the more I know the less I understand. Gilat Network Systems owns Spacenet, Inc. which provides managed VSAT and hybrid network services for business, government and residential customers in North America, and owns StarBand who provides satellite broadband Internet services for home and small office across the United States. The StarBand NOC, ground station is located in Marietta, GA. Like DavidT I don't understand what this has to do with an address in Portugal or a phone number (area code 902) in Nova Scotia. Either someone has a more interesting life than I do (no real stretch) or the requirement to give valid information for site reg is not strongly enforced. Still don't have a clue how you would hack into REGISTER.COM, INC. and change the data. or did they get into that database at NS1-MCLCORP.STARBAND.COM? It is also interesting that sedoparking.net, that replaced starband.net has a street address in Lawrenceville,GA which, like Marietta, is a suburb of Altanta. Depending on how easy it is to make changes like these and with a little mimicry some real information could be collected. Link to comment Share on other sites More sharing options...
DavidT Posted December 16, 2008 Share Posted December 16, 2008 Still don't have a clue how you would hack into REGISTER.COM, INC. and change the data. All that's needed is a userid (which is often an email address) and a password. Weak passwords can be easily guessed. But this is only speculation. You should call StarBand and call their attention to the odd Whois info. As for your example of rejected/bounced email, that appears to be due to blocking at StarBand's email server, which didn't want to accept connections from your Radix-based DSL system. From my research, it appears that Radix might have a very small "backscatter" problem. I see one such report in SpamCop's report database, and the Radix IP you gave is listed on the WPBL (Weighted Private Block List): http://www.wpbl.info/cgi-bin/detail.cgi?ip=207.192.128.31 DT Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.