[WLUG] 'Forbidden' website

Tue Dec 5 21:08:59 EST 2017

Thanks for the digging!

I looked at /etc/resolv.conf :

lrwxrwxrwx 1 root root   29 Jul 24  2016 resolv.conf ->
../run/resolvconf/resolv.conf

which is in a tmpfs file system, so it sounds like it will not survive a
reboot, or maybe even
restarting the network.

it contains:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
search gateway.pace.com

and gateway.pace.com == 192.168.1.254, which is my ATT Uverse modem.

One web site https://unix.stackexchange.com/questions/128220/how-do-i-
set-my-dns-when-resolv-conf-is-being-overwritten/163506#163506
suggested changing /etc/resolvconf/resolv.conf.d/base to:

nameserver 8.8.8.8
nameserver 8.8.4.4

which I tried but it did not help.

This feels like some sort of error as opposed to malicious action, but I
can't be certain without knowing the cause.

BTW - My OS version is stretch/sid

Thanks,

- Jim

Jim Irrer     irrer at umich.edu       (734) 647-4409
University of Michigan Hospital Radiation Oncology
519 W. William St.             Ann Arbor, MI 48103-4943

On Mon, Dec 4, 2017 at 7:05 PM, Derek DeJonghe <mittendevelopment at gmail.com>
wrote:

> For what it's worth I dug into this a bit. A dig to moosejaw.com gave me
> this response from google:
>
> dig -i @8.8.8.8 moosejaw.com
>
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -i @8.8.8.8 moosejaw.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64671
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;moosejaw.com. IN A
>
> ;; ANSWER SECTION:
> moosejaw.com. 299 IN A 52.10.51.5
>
> ;; Query time: 49 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Mon Dec 04 18:56:32 EST 2017
> ;; MSG SIZE  rcvd: 57
>
>
> I know from experience that 52's have been mostly bought up by amazon but
> a whois proved that:
>
>
> whois 52.10.51.5
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
> # If you see inaccuracies in the results, please report at
> # https://www.arin.net/public/whoisinaccuracy/index.xhtml
> #
>
>
> #
> # The following results may also be obtained via:
> # https://whois.arin.net/rest/nets;q=52.10.51.5?showDetails=
> true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
> #
>
> NetRange:       52.0.0.0 - 52.31.255.255
> CIDR:           52.0.0.0/11
> NetName:        AT-88-Z
> NetHandle:      NET-52-0-0-0-1
> Parent:         NET52 (NET-52-0-0-0-0)
> NetType:        Direct Allocation
> OriginAS:
> Organization:   Amazon Technologies Inc. (AT-88-Z)
> RegDate:        1991-12-19
> Updated:        2015-03-20
> Ref:            https://whois.arin.net/rest/net/NET-52-0-0-0-1
>
>
>
> OrgName:        Amazon Technologies Inc.
> OrgId:          AT-88-Z
> Address:        410 Terry Ave N.
> City:           Seattle
> StateProv:      WA
> PostalCode:     98109
> Country:        US
> RegDate:        2011-12-08
> Updated:        2017-01-28
> Comment:        All abuse reports MUST include:
> Comment:        * src IP
> Comment:        * dest IP (your IP)
> Comment:        * dest port
> Comment:        * Accurate date/timestamp and timezone of activity
> Comment:        * Intensity/frequency (short log extracts)
> Comment:        * Your contact details (phone and email) Without these we
> will be unable to identify the correct owner of the IP address at that
> point in time.
> Ref:            https://whois.arin.net/rest/org/AT-88-Z
>
>
> OrgAbuseHandle: AEA8-ARIN
> OrgAbuseName:   Amazon EC2 Abuse
> OrgAbusePhone:  +1-206-266-4064 <(206)%20266-4064>
> OrgAbuseEmail:  abuse at amazonaws.com
> OrgAbuseRef:    https://whois.arin.net/rest/poc/AEA8-ARIN
>
> OrgNOCHandle: AANO1-ARIN
> OrgNOCName:   Amazon AWS Network Operations
> OrgNOCPhone:  +1-206-266-4064 <(206)%20266-4064>
> OrgNOCEmail:  amzn-noc-contact at amazon.com
> OrgNOCRef:    https://whois.arin.net/rest/poc/AANO1-ARIN
>
> OrgTechHandle: ANO24-ARIN
> OrgTechName:   Amazon EC2 Network Operations
> OrgTechPhone:  +1-206-266-4064 <(206)%20266-4064>
> OrgTechEmail:  amzn-noc-contact at amazon.com
> OrgTechRef:    https://whois.arin.net/rest/poc/ANO24-ARIN
>
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
> # If you see inaccuracies in the results, please report at
> # https://www.arin.net/public/whoisinaccuracy/index.xhtml
> #
>
>
>
> Now that we know they're on amazon we can reasonably assume that they're
> using Route53 for DNS and as stated above a CDN ( CloudFront ). The IP and
> hostname exposed when you did the ping says there's something wrong going
> on:
>
> > ping www.moosejaw.com
> > PING b2b57520ef4f01311ce112313d08f98b.yottaa.net (204.2.133.51) 56(84)
> > bytes of data.
>
>
> Yottaa.net doesnt load itself but yottaa.com does, they probably use .com
> for marketing and .net for work. They're another CDN so it's possible that
> moosejaw moved from yottaa to cloudfront recently and there's dns caching
> going on somewhere, or something malicious....
>
>
> On Mon, Dec 4, 2017 at 6:55 PM, Derek DeJonghe <
> mittendevelopment at gmail.com> wrote:
>
>> Check /etc/resolv.conf to figure out who you're pointed at for DNS.
>>
>> After that do a dig @ that the name server you are using in resolv.conf
>> then try another reputable source like google 8.8.8.8, 8.8.4.4, verisign
>> 64.6.64.6. Others here: https://www.macecraft.co
>> m/best-dns-servers-free-public-tested/#1473500116491-fa205811-14f0
>>
>> If you get the same result from both, I would check your local cert/ca
>> store to make sure you dont have some conflict there.
>>
>>
>> On Mon, Dec 4, 2017 at 5:05 PM, Jim Irrer <irrer at umich.edu> wrote:
>>
>>> I've done the 'click through' when developing my own web site with
>>> self-signed certs, but with Moosejaw there is a real credit card involved.
>>>
>>> Could there be a DNScache or certificate cache on my machine with bad
>>> data?
>>>
>>> Thanks,
>>>
>>> - Jim
>>>
>>> Jim Irrer     irrer at umich.edu       (734) 647-4409
>>> University of Michigan Hospital Radiation Oncology
>>> 519 W. William St.             Ann Arbor, MI 48103-4943
>>>
>>> On Mon, Dec 4, 2017 at 4:00 PM, Edward Birdsall <birdsall_99 at comcast.net
>>> > wrote:
>>>
>>>> Hi,
>>>>
>>>> Firefox you to warn you butthen after a click or so let you go to the
>>>> site.  I use that if Chromium says "no way man".
>>>>
>>>> ed
>>>>
>>>> On Tue, 2017-12-05 at 02:44 +0800, Drew wrote:
>>>> > As I said, warnings are fine. But the ultimate decision of whether to
>>>> > pull in a web page should be mine.
>>>> > ______________________________________________________
>>>> > washlug mailing list    washlug web site
>>>> > washlug at washlug.org     www.washlug.org
>>>> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>>>> --
>>>> ********************************************
>>>> * Edward Birdsall  birdsall_99 at comcast.net
>>>> * ------------------------------------------
>>>> * Note:  e-mail may not be checked daily
>>>> ********************************************
>>>> ______________________________________________________
>>>> washlug mailing list    washlug web site
>>>> washlug at washlug.org     www.washlug.org
>>>> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>>>
>>>
>>>
>>> ______________________________________________________
>>> washlug mailing list    washlug web site
>>> washlug at washlug.org     www.washlug.org
>>> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>>
>>>
>>
>
> ______________________________________________________
> washlug mailing list    washlug web site
> washlug at washlug.org     www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linux.marcdatabase.com/pipermail/washlug/attachments/20171205/2338b7dd/attachment.html>