[WLUG] 'Forbidden' website
Jim Irrer
irrer at umich.edu
Tue Dec 5 21:08:59 EST 2017
Thanks for the digging!
I looked at /etc/resolv.conf :
lrwxrwxrwx 1 root root 29 Jul 24 2016 resolv.conf ->
../run/resolvconf/resolv.conf
which is in a tmpfs file system, so it sounds like it will not survive a
reboot, or maybe even
restarting the network.
it contains:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
search gateway.pace.com
and gateway.pace.com == 192.168.1.254, which is my ATT Uverse modem.
One web site https://unix.stackexchange.com/questions/128220/how-do-i-
set-my-dns-when-resolv-conf-is-being-overwritten/163506#163506
suggested changing /etc/resolvconf/resolv.conf.d/base to:
nameserver 8.8.8.8
nameserver 8.8.4.4
which I tried but it did not help.
This feels like some sort of error as opposed to malicious action, but I
can't be certain without knowing the cause.
BTW - My OS version is stretch/sid
Thanks,
- Jim
Jim Irrer irrer at umich.edu (734) 647-4409
University of Michigan Hospital Radiation Oncology
519 W. William St. Ann Arbor, MI 48103-4943
On Mon, Dec 4, 2017 at 7:05 PM, Derek DeJonghe <mittendevelopment at gmail.com>
wrote:
> For what it's worth I dug into this a bit. A dig to moosejaw.com gave me
> this response from google:
>
> dig -i @8.8.8.8 moosejaw.com
>
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -i @8.8.8.8 moosejaw.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64671
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;moosejaw.com. IN A
>
> ;; ANSWER SECTION:
> moosejaw.com. 299 IN A 52.10.51.5
>
> ;; Query time: 49 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Mon Dec 04 18:56:32 EST 2017
> ;; MSG SIZE rcvd: 57
>
>
> I know from experience that 52's have been mostly bought up by amazon but
> a whois proved that:
>
>
> whois 52.10.51.5
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
> # If you see inaccuracies in the results, please report at
> # https://www.arin.net/public/whoisinaccuracy/index.xhtml
> #
>
>
> #
> # The following results may also be obtained via:
> # https://whois.arin.net/rest/nets;q=52.10.51.5?showDetails=
> true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
> #
>
> NetRange: 52.0.0.0 - 52.31.255.255
> CIDR: 52.0.0.0/11
> NetName: AT-88-Z
> NetHandle: NET-52-0-0-0-1
> Parent: NET52 (NET-52-0-0-0-0)
> NetType: Direct Allocation
> OriginAS:
> Organization: Amazon Technologies Inc. (AT-88-Z)
> RegDate: 1991-12-19
> Updated: 2015-03-20
> Ref: https://whois.arin.net/rest/net/NET-52-0-0-0-1
>
>
>
> OrgName: Amazon Technologies Inc.
> OrgId: AT-88-Z
> Address: 410 Terry Ave N.
> City: Seattle
> StateProv: WA
> PostalCode: 98109
> Country: US
> RegDate: 2011-12-08
> Updated: 2017-01-28
> Comment: All abuse reports MUST include:
> Comment: * src IP
> Comment: * dest IP (your IP)
> Comment: * dest port
> Comment: * Accurate date/timestamp and timezone of activity
> Comment: * Intensity/frequency (short log extracts)
> Comment: * Your contact details (phone and email) Without these we
> will be unable to identify the correct owner of the IP address at that
> point in time.
> Ref: https://whois.arin.net/rest/org/AT-88-Z
>
>
> OrgAbuseHandle: AEA8-ARIN
> OrgAbuseName: Amazon EC2 Abuse
> OrgAbusePhone: +1-206-266-4064 <(206)%20266-4064>
> OrgAbuseEmail: abuse at amazonaws.com
> OrgAbuseRef: https://whois.arin.net/rest/poc/AEA8-ARIN
>
> OrgNOCHandle: AANO1-ARIN
> OrgNOCName: Amazon AWS Network Operations
> OrgNOCPhone: +1-206-266-4064 <(206)%20266-4064>
> OrgNOCEmail: amzn-noc-contact at amazon.com
> OrgNOCRef: https://whois.arin.net/rest/poc/AANO1-ARIN
>
> OrgTechHandle: ANO24-ARIN
> OrgTechName: Amazon EC2 Network Operations
> OrgTechPhone: +1-206-266-4064 <(206)%20266-4064>
> OrgTechEmail: amzn-noc-contact at amazon.com
> OrgTechRef: https://whois.arin.net/rest/poc/ANO24-ARIN
>
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
> # If you see inaccuracies in the results, please report at
> # https://www.arin.net/public/whoisinaccuracy/index.xhtml
> #
>
>
>
> Now that we know they're on amazon we can reasonably assume that they're
> using Route53 for DNS and as stated above a CDN ( CloudFront ). The IP and
> hostname exposed when you did the ping says there's something wrong going
> on:
>
> > ping www.moosejaw.com
> > PING b2b57520ef4f01311ce112313d08f98b.yottaa.net (204.2.133.51) 56(84)
> > bytes of data.
>
>
> Yottaa.net doesnt load itself but yottaa.com does, they probably use .com
> for marketing and .net for work. They're another CDN so it's possible that
> moosejaw moved from yottaa to cloudfront recently and there's dns caching
> going on somewhere, or something malicious....
>
>
> On Mon, Dec 4, 2017 at 6:55 PM, Derek DeJonghe <
> mittendevelopment at gmail.com> wrote:
>
>> Check /etc/resolv.conf to figure out who you're pointed at for DNS.
>>
>> After that do a dig @ that the name server you are using in resolv.conf
>> then try another reputable source like google 8.8.8.8, 8.8.4.4, verisign
>> 64.6.64.6. Others here: https://www.macecraft.co
>> m/best-dns-servers-free-public-tested/#1473500116491-fa205811-14f0
>>
>> If you get the same result from both, I would check your local cert/ca
>> store to make sure you dont have some conflict there.
>>
>>
>> On Mon, Dec 4, 2017 at 5:05 PM, Jim Irrer <irrer at umich.edu> wrote:
>>
>>> I've done the 'click through' when developing my own web site with
>>> self-signed certs, but with Moosejaw there is a real credit card involved.
>>>
>>> Could there be a DNScache or certificate cache on my machine with bad
>>> data?
>>>
>>> Thanks,
>>>
>>> - Jim
>>>
>>> Jim Irrer irrer at umich.edu (734) 647-4409
>>> University of Michigan Hospital Radiation Oncology
>>> 519 W. William St. Ann Arbor, MI 48103-4943
>>>
>>> On Mon, Dec 4, 2017 at 4:00 PM, Edward Birdsall <birdsall_99 at comcast.net
>>> > wrote:
>>>
>>>> Hi,
>>>>
>>>> Firefox you to warn you butthen after a click or so let you go to the
>>>> site. I use that if Chromium says "no way man".
>>>>
>>>> ed
>>>>
>>>> On Tue, 2017-12-05 at 02:44 +0800, Drew wrote:
>>>> > As I said, warnings are fine. But the ultimate decision of whether to
>>>> > pull in a web page should be mine.
>>>> > ______________________________________________________
>>>> > washlug mailing list washlug web site
>>>> > washlug at washlug.org www.washlug.org
>>>> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>>>> --
>>>> ********************************************
>>>> * Edward Birdsall birdsall_99 at comcast.net
>>>> * ------------------------------------------
>>>> * Note: e-mail may not be checked daily
>>>> ********************************************
>>>> ______________________________________________________
>>>> washlug mailing list washlug web site
>>>> washlug at washlug.org www.washlug.org
>>>> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>>>
>>>
>>>
>>> ______________________________________________________
>>> washlug mailing list washlug web site
>>> washlug at washlug.org www.washlug.org
>>> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>>
>>>
>>
>
> ______________________________________________________
> washlug mailing list washlug web site
> washlug at washlug.org www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linux.marcdatabase.com/pipermail/washlug/attachments/20171205/2338b7dd/attachment.html>
More information about the washlug
mailing list