Jump to content

Web site hijacked


Lking

Recommended Posts

Sometime Thursday night the address for www.StarBand[dot]net got hijacked and now points to a site full of links to sedoparking[dot]com. They (sedoparking) has actually updated their page (changed pictures, links) during the last 24 hours.

The WhoIs for starband was changed Thursday when I first looked and again Friday >>> Last update of whois database: Fri, 12 Dec 2008 16:29:11 UTC <<

The real www.starband[dot]net pages should look like 148.78.247.61

This of course affects logging into my account from the web side, email can't be delivered to xxx[at]starband[dot]net. From the satellite side all look/acts normal. How long does it take to get all the DNS tables updated? (I know that sounds like, 'how long is the string?')

Don't I remember a major site being hijacked last week?

Looking for an education. This has always been one of those things that 'just worked.' Now that it affects me...

Link to comment
Share on other sites

The real www.starband[dot]net pages should look like 148.78.247.61

It looks correct from here. Rather than some sort of DNS poisoning/hijacking, it sounds like someone hacked into the domain administration login at the registrar and changed the nameserver info, then someone perhaps changed it back. But the whois info, although somewhat protected by a privacy feature, seems to indicate involvement of a company in Portugal....is that bogus? If so, StarBand needs to get with Registrar.com and straighten this out.

DT

Link to comment
Share on other sites

I got the sedoparking data/page (and popup ad) on my first attempt to go to www.StarBand.net but subsequently (also when using the literal address 148.78.247.61) I get a "You are not authorized to view this page" with the code "HTTP 403.6 - Forbidden: IP address rejected."

Lookups get alternating data:

C:\Documents and Settings\Steve>nslookup StarBand.net

...

Non-authoritative answer:

Name: StarBand.net

Address: 216.36.248.134

C:\Documents and Settings\Steve>whosip 216.36.248.134

WHOIS Source: ARIN

IP Address: 216.36.248.134

Country: USA - Illinois

Network Name: HOSTWAY-04

Owner Name: Hostway Corporation

From IP: 216.36.192.0

To IP: 216.36.255.255

Allocated: Yes

Contact Name: Hostway Corporation

Address: 1 N. State St., Chicago

Email: noc[at]hostway.com

Abuse Email:

Phone: +1-312-994-7690

Fax:

C:\Documents and Settings\Steve>nslookup StarBand.net

...

Non-authoritative answer:

Name: StarBand.net

Address: 148.78.247.61

C:\Documents and Settings\Steve>whosip 148.78.247.61

WHOIS Source: ARIN

IP Address: 148.78.247.61

Country: USA - Virginia

Network Name: STARBAND

Owner Name: Starband Communications, Inc.

From IP: 148.78.0.0

To IP: 148.78.255.255

Allocated: Yes

Contact Name: Starband Communications, Inc.

Address: 1750 Old Meadow Road, Suite 700, McLean

Email: netadmin[at]starband.net

Abuse Email: abuse[at]starband.com

Phone: +1-703-245-6441

Fax:

C:\Documents and Settings\Steve>

Looks like the Starband DNS records are in transition all right, but I can't tell which way they're going or how quickly.

Link to comment
Share on other sites

Sometime Thursday night the address for www.StarBand[dot]net got hijacked and now points to a site full of links to sedoparking[dot]com.

The WhoIs for starband was changed Thursday when I first looked and again Friday >>> Last update of whois database: Fri, 12 Dec 2008 16:29:11 UTC <<

The real www.starband[dot]net pages should look like 148.78.247.61

There could be another explanation (although it does take a bit of a reach of faith ...???)

WHOIS still shows;

DNS Servers:

ns1-mclcorp.starband.com

ns2-mclcorp.starband.com

Slow traceroute starband.net

Trace starband.net (216.36.248.134) ...

Fetching http://starband.net/ ...

Host: starband.net

HTTP/1.1 200 OK

Date: Sat, 13 Dec 2008 15:47:21 GMT

Server: Apache

frameset rows="*,100%"&gt;&lt;frame scrolling="no" frameborder="0" noresize src=""&gt;&lt;frame scrolling="auto"
frameborder="0" src="http://sedoparking.com/starband.net/?registrar=House1"&gt;&lt;/frameset&gt;

Seems strange that the IP Address would change but the DNS would remain at the 'same' servers .... It could be as simple as the fees for hosting of the .net page hadn't been paid. The strech for me on that would come from;

IP block 148.78.254.30

Spacenet, Inc. SPACENET-SPAN (NET-148-62-0-0-1)

148.62.0.0 - 148.78.255.255

Starband Communications, Inc. STARBAND (NET-148-78-0-0-1)

148.78.0.0 - 148.78.255.255

It sure seems that they could afford to (continue) to self-host their own page ...???

This of course affects logging into my account from the web side, email can't be delivered to xxx[at]starband[dot]net. From the satellite side all look/acts normal. How long does it take to get all the DNS tables updated? (I know that sounds like, 'how long is the string?')

From all appearances, I'd believe that you should be able to get to the previous content at starband.com ... folks there reference providing/supporting Spacenet Inc. provides StarBand two-way, always-on, high-speed satellite Internet service to small office / home office (SOHO) and small business customers.

Link to comment
Share on other sites

Trace starband.net (216.36.248.134) ...

But that's not the IP I get using a lot of various server and web-based tools all over the net. I get the proper IP of 148.78.247.61 every time. For example, try the tool at:

http://www.zoneedit.com/lookup.html

I was able to hit the correct page from the command lines of three different servers I just logged in to all over the US, and from browsers on my computer and another at work that I just remotely connected to. The "216." IP was probably what was being distributed before the nameservers got changed back to the proper values, and it's on a Hostway box that seems to have mostly parked pages.

DT

Link to comment
Share on other sites

But that's not the IP I get using a lot of various server and web-based tools all over the net. I get the proper IP of 148.78.247.61 every time.

Changed to an OpenDNS server, now also showing;

12/13/08 22:36:16 Slow traceroute starband.net

Trace starband.net (148.78.247.61) ...

My ISP uses AT&T for its resources, so assumedly there is some DNS propogation delay still in the works.

On the other hand, I do have to note that;

Browsing http://starband.net/

Fetching http://starband.net/ ...

GET / HTTP/1.1

Host: starband.net

HTTP/1.1 302 Object moved

Server: Microsoft-IIS/5.0

The Moved / direct path needs to be http://starband.net/home.asp

and looking at that code, my previous suggestion of hitting the .com site certainly appears not to be a direct replacement.

Link to comment
Share on other sites

Excuse me for dumping a question and not being involved in the discussion. Life got in the way. Two days of providing sound reinforcement for an outside town Holiday Market is occupying my this weekend. I'm getting to old for this level of effort.

I knew I (you) could not tell what was going on, after the fact, thus the post and run. My DSL STMP has returned the test email, from DSL to [at]starband.net.

I agree it does seem odd that starband/SPACENET can't afford their own server. I did notice that the street addresses of sedoparking are in Georgia close to the NOC.

Thanks for the dissection. Will digest the information when I recover.

{Edit} Doesn't look like the email is working. What I get when I send from DSL to starband.net is:

----- The following addresses had permanent fatal errors -----

<xxxx[at]starband.net>

(reason: 553 5.3.0 <xxxx[at]starband.net>... Email rejected because of UCE from 207.192.128.31. Listed by http://www.starband.net/removalrequest/def...207.192.128.31)

----- Transcript of session follows -----

... while talking to smtp.starband.net.:

>>> >>> DATA

<<< 553 5.3.0 <xxxx[at]starband.net>... Email rejected because of UCE from 207.192.128.31. Listed by http://www.starband.net/removalrequest/def...=207.192.128.31

550 5.1.1 <xxxx[at]starband.net>... User unknown

<<< 503 5.0.0 Need RCPT (recipient)

Link to comment
Share on other sites

This is surely a case of, the more I know the less I understand.

Gilat Network Systems owns Spacenet, Inc. which provides managed VSAT and hybrid network services for business, government and residential customers in North America, and owns StarBand who provides satellite broadband Internet services for home and small office across the United States. The StarBand NOC, ground station is located in Marietta, GA.

Like DavidT I don't understand what this has to do with an address in Portugal or a phone number (area code 902) in Nova Scotia. Either someone has a more interesting life than I do (no real stretch) or the requirement to give valid information for site reg is not strongly enforced.

Still don't have a clue how you would hack into REGISTER.COM, INC. and change the data. or did they get into that database at NS1-MCLCORP.STARBAND.COM?

It is also interesting that sedoparking.net, that replaced starband.net has a street address in Lawrenceville,GA which, like Marietta, is a suburb of Altanta.

Depending on how easy it is to make changes like these and with a little mimicry some real information could be collected.

Link to comment
Share on other sites

Still don't have a clue how you would hack into REGISTER.COM, INC. and change the data.

All that's needed is a userid (which is often an email address) and a password. Weak passwords can be easily guessed. But this is only speculation. You should call StarBand and call their attention to the odd Whois info.

As for your example of rejected/bounced email, that appears to be due to blocking at StarBand's email server, which didn't want to accept connections from your Radix-based DSL system. From my research, it appears that Radix might have a very small "backscatter" problem. I see one such report in SpamCop's report database, and the Radix IP you gave is listed on the WPBL (Weighted Private Block List):

http://www.wpbl.info/cgi-bin/detail.cgi?ip=207.192.128.31

DT

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...