Cliff
Sun Jun 29 11:56:57 PDT 2008
A day late and a dollar short I guess. As of now, mail.attachmentsales.com
is responding exactly how one would expect an SBS box to.
You do, however, have other DNS problems that you *should* resolve.
1) Your mailserver appears to be at the IP address you gave and listening
properly. If it is compromised, somebody disabled whatever they were doing
within the last 12 hours.
2) Your registrar has your nameservers listed incorrectly. They have them
listed as ns.planetofusa.com and ns2.planetofusa.com. When queried, they
believe they are authoritative.
3) Your SOA reports two nameservers, ns.host4u.net and ns2.host4u.net.
These two *ALSO* claim to be authoritative. These are NOT the nameservers
listed in your registrars record (see point 2) and these should match.
--At first I thought maybe some of the companies. Tinkergraphics.com
resells planetusofa.com webhosting, so that explains why they are listed as
nameservers, but host4u.net is not affiliated with either of those, nor are
they affiliated with TC Deltacom.
4) With two distinct sets of nameservers both claiming to be authoritative,
and both have the same SOA/serial, that implies one is being allowed to
replicate from another. I don't have enough information to tell you which
is which, but based on your previous post, TC Deltacom *should* be the
authoritative nameserves, not EITHER of these (a factI think is in error
actually, but we'll get to that.) Either way, without a clear authoritative
nameserver and given that apparently permissions are set on one of them to
allow complete replication, it is very possible that there was some DNS
hijacking happening.
5) TC Deltacom (nor roadrunner) appears to be responsible for hosting your
DNS, which is something you said they should be doing. I can find no
evidence of this. If they are then, again, there are more DNS issues to
resolve.
6) The two IPs you gave me as an answer for question 4 appear to be
recursive DNS servers for ISP customers, not authoritative DNS servers for
DNS hosts. Those are two very different roles, so the information provided
did not help narrow down the problem as much as I had hoped it would.
7) Also, as a point of skepticism....attachmentsales.com gets an entire
class B block from their ISP??? And they aren't hosting their OWN DNS, and
are using SBS???????? I don't believe your answer to question 1 was
accurate...and again, can impact the time it takes to troubleshoot the
problem.
--
Ultimately you need to straighten out your DNS issues. Had those been in
order, I perhaps could've told you more about the rogue site listening on
the presumptive maileserver, but since I couldn't...and now the proper IP
addresses are listing and listening, I cannot retroactively tell you what
the problem was.
I can 'suspect' that your machine was not compromised. I say this because
what I saw yesterday was not a normal IIS response. It is, of course,
possible that somebody took some time to code a PHP file that falsified
headers to appear as an apache server AND redirect, but I find this
unlikely.
Apache would not have been able to bind to port 80. IIS already has that
port as evidenced that it is actually responding today. This leads me to
believe that another machine was temporarily answering incoming calls...and
that would, again, indicate that perhaps a different IP was being given out.
The changing behavior would also indicate this. If somebody successfully
poisoned a DNS record and set up a phishing site then going to
mail.attachmentsales.com gives you the phishing site. As phishing sites
tend to be shortlived, when they shut it down, you get a blank page until
the TTL of the poisoned record expires. Once the poisoned record is no
longer existing in various caches, the 'real' site magically starts
reappearing.
In summary, you have other significant configuration issues to be addressed
and too much time has passed to accurately know what happened. It is all
speculation at this point so, although I initially didn't agree with her
assessment, I agree with Susan that it would be prudent to get the box
checked out. I still don't believe it was compromised, but better safe than
sorry...and again, too late to know for certain.
-Cliff
"Frank" <ffarero@cfl.rr.com> wrote in message
news:48677318$0$5972$9a6e19ea@unlimited.newshosting.com...
> Hi Cliff,
>
> I called the Owner last night and he corrected the ISP name given to me by
> his Secretary/Tech. person. It is not Roadrunner as previously stated. It
> is ITC Deltacom. Here is the info you requested:
> 1) What IP addresses are assigned by your cable company.
>
> TC^Deltacom NETBLCK-ITCD-3 (NET-66-0-0-0-1)
>
> 66.0.0.0 - 66.0.255.255
>
> Attachment Sales ITCD-66-0-146-120 (NET-66-0-146-120-1)
>
> 66.0.146.120 - 66.0.146.1272)
>
> What IP address do you believe should mail.attachmentsales.com have.
>
> 66.0.146.122
>
> 3) Who do you believe is the registrar for your domain?
>
> Domain Name: ATTACHMENTSALES.COM
>
> Registrar: DOMAINPEOPLE, INC.
>
> Whois Server: whois.domainpeople.com
>
> Referral URL:
http://www.domainpeople.com
>
> Name Server: NS.PLANETUSOFA.COM
>
> Name Server: NS2.PLANETUSOFA.COM
>
> Status: ok
>
> Updated Date: 06-mar-2008
>
> Creation Date: 12-mar-1998
>
> Expiration Date: 11-mar-2009
>
> 4) What DNS servers RoadRunner tells you that you should be using for your
> attachmentsales.com DNS management.
>
> 66.0.214.14 /207.230.75.50
>
>
> "Cliff Galiher" <cgaliher@gmail.com> wrote in message
> news:664F5E4E-F91F-4675-9C30-86A5EF15818B@microsoft.com...
>> It is tough to be certain, but I don't believe the box is compromised.
>> There are enough other discrepencies (particularly with the revelation
>> that his DNS is supposed to be managed by RoadRunner) to point to DNS
>> issues. Serious ones. The glue records don't match the nameservers
>> listed by the SOA. The mailserver appears to be running a webserver
>> besides IIS, which SBS would complain about for other features like
>> companyweb, etc.
>>
>> So, Frank, what *I'd* like to see to troubleshoot this problem is:
>>
>> 1) What IP addresses are assigned by your cable company.
>> 2) What IP address do you believe should mail.attachmentsales.com have.
>> 3) Who do you believe is the registrar for your domain?
>> 4) What DNS servers RoadRunner tells you that you should be using for
>> your attachmentsales.com DNS management.
>>
>> From there we can at least begin to see what 'appears' legitimate and
>> what doesn't.
>>
>> -Cliff
>>
>> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
>> wrote in message news:OEEVCaX2IHA.4164@TK2MSFTNGP03.phx.gbl...
>>> Chances are there is a phishing site on the server. Calling support on
>>> Monday morning is a free call and they have forensic investigation tools
>>> to let you know what (if anything else) is on that box.
>>>
>>> If someone has rights to install stuff on a system from inside the lan
>>> (say from a phishing email they got) no amount of a firewall will help
>>> unless you have rules monitoring what's going on.
>>>
>>> If there is stupid user interaction behind this, firewalls won't help
>>> gang.
>>>
>>> Frank wrote:
>>>> Hi Leythos,SuperGumby
>>>>
>>>> Unfortunetly for me I have installed 10 SBS 2003 systems and always
>>>> insisted that a WatchGuard or equivalent security appliance be
>>>> purchased so I have never run accross a situation like this before. The
>>>> FQDN is ASI01.ASI.local The domain name is www.attachmentsales.com.
>>>> Please let me know what other info you need.
>>>> Thanks for the kick in my behind I needed a wakeup call!
>>>>
>>>> "Leythos" <void@nowhere.lan> wrote in message
>>>> news:1214689991_158065@news.usenet.com...
>>>>> In article <eXTwe2S2IHA.4912@TK2MSFTNGP03.phx.gbl>, not@your.nellie
>>>>> says...
>>>>>> I am neither the 'alarmist' which Susan is nor the 'routers are evil'
>>>>>> that
>>>>>> you will get from Leythos.
>>>>>>
>>>>> In most cases, a SBS setup is installed and not-maintained by anyone
>>>>> technical, it's sold as a simple solution and installed by noobs in
>>>>> almost every case I've come across.
>>>>>
>>>>> The same is true for network security, it's an after thought or a
>>>>> cheap
>>>>> device that claims to be a firewall on the packaging is used because
>>>>> they wanted to save money...
>>>>>
>>>>> Routers are simple devices, they can not be evil.
>>>>>
>>>>> NAT Routers used to be called ROUTER in the days of honesty, then
>>>>> marketing types got the idea that NAT was a firewall method, except
>>>>> NAT
>>>>> could pass everything inbound without blocking anything if it was 1:1
>>>>> NAT, or if the unknowing person put the server in the DMZ IP address
>>>>> since those devices don't really have a DMZ network.
>>>>>
>>>>> So, it comes down to badly installed SBS installations protected by
>>>>> Routers that are not even in the firewall class, managed by people
>>>>> that
>>>>> don't have much of a clue, and then they wonder when something
>>>>> happens....
>>>>>
>>>>> Yes, it's a soapbox but if you've got any real experience around the
>>>>> country you will see exactly what I'm saying in just about any
>>>>> location.
>>>>>
>>>>> The information we're provided in this problem is very