Jump to content

Hacked/Redirected/WTF?????


JSngry

Recommended Posts

Just got in from work after 15-20 minutes of trying and failing b/c my bookmark kept taking me to "goodmayor.com" as the landing site for the link and then the url read something like "id=www.organissimo.org". My work security blocker stopped that dead in it tracks, and looking up goodmayor.com, it does not seem to be a good place to be.

So...what happened?

Link to comment
Share on other sites

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

I saw nothing. Given the somewhat inconsistent reports above, I'd bet it's a DNS issue. Jim, I'd start with whomever you registered the domain name through (Google, GoDaddy, ...). (The problem disappearing when you switch browsers or reboot a device suggests flushing your local DNS cache fixes things, which in turn suggests there was a bad entry in the DNS server it grabbed the data from the first time around.)

If none of that meant anything to you: don't worry.

If anyone still has a computer with the bad redirect (obviously not the one you're reading this from...), you can test my theory by following these steps to flush your DNS cache:

https://documentation.cpanel.net/display/CKB/How+To+Clear+Your+DNS+Cache

If after that song and dance you get the organissimo site, you indeed had a bad DNS entry. If you still get the bad redirect, then it was something else and my deduction was incorrect.

Link to comment
Share on other sites

This all sounds similar to something I encounter every so often when I visit a website (usually on Real Clear Politics).  A couple of times a week, I'm on Real Clear and all of a sudden a message appears over the screen: "You've won an iPhone 8" etc etc, with a strange URL at the top of the screen.  I think it's actually a form of advertising pop-up box (similar to what's becoming more common on a lot of news web sites, where you want to read an article but an ad appears over the article and you must X to get out).

I've found the solution in those cases to be simple: go to the URL box at the top of the screen, and enter a different web site.  The problem message disappears.  And if I then go back to Real Clear, I don't encounter the problem again (at least for that day).

Link to comment
Share on other sites

Reaching the site just fine from work now, after getting the re-direct all morning. Have not changed bookmark link.

Also got it from home last night and very early this AM. Same thing on my phone (android) & Brenda's tablet (I-Pad).

The board link is the only one that gets redirected, on all machines, all other links function normally.

Gotta wonder about the choices of redirection - at work, it gets blocked at goodmayor.com. That's the business's security blocking it. On all other devices, it goes thorugh goodmayor.com and lands at various sketchy looking app/utility download sites. If you don't click on anything, I don't see where you get anything harmful.

My question is simple - what is triggering the redirect to goodmayor.com? When it blacks at work, the link is something like goodmayor.com/site ID = www.organissimo.org. That's not exact, but close.

Link to comment
Share on other sites

This is the reply I got from Liquid Web, my server company.

I see that after requesting organissimo.org/forum the request is redirected to www.organissimo.org which according to DNS records points to a different server:

;; ANSWER SECTION:
www.organissimo.org.    671    IN    A    190.2.131.62

;; AUTHORITY SECTION:
organissimo.org.    532    IN    NS    ns2.organissimo2.com.
organissimo.org.    532    IN    NS    ns1.organissimo2.com.

;; ADDITIONAL SECTION:
ns2.organissimo2.com.    671    IN    A    190.2.131.63
ns1.organissimo2.com.    671    IN    A    190.2.131.62

The IP address 190.2.131.62 shows the following ownership:

owner:       WorldStream B.V.
ownerid:     NL-WOBV-LACNIC
responsible: Dirk Vromans

After hitting this server then a second redirect is sent to send the user to goodmayor.com @

;; ANSWER SECTION:
goodmayor.com.        290    IN    A    34.196.13.28

Before getting then redirected several more times to the eventual ad. I would recommend looking at godaddy and seeing what is set there and if any changes have been made. As well I would recommend looking into this doppelgänger domain is as it appears to be the first step in the redirects:

;; ANSWER SECTION:
organissimo2.com.    900    IN    A    190.2.131.62

;; AUTHORITY SECTION:
organissimo2.com.    900    IN    NS    ns1.xzydns.com.
organissimo2.com.    900    IN    NS    ns2.xzydns.com.

   Domain Name: ORGANISSIMO2.COM
   Registry Domain ID: 2223693508_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.antagus.de
   Registrar URL: http://www.vautron.de
   Updated Date: 2018-02-06T16:19:25Z
   Creation Date: 2018-02-06T16:19:25Z
   Registry Expiry Date: 2019-02-06T16:19:25Z
   Registrar: Vautron Rechenzentrum AG
   Registrar IANA ID: 1443
   Registrar Abuse Contact Email:
   Registrar Abuse Contact Phone:
   Domain Status: ok https://icann.org/epp#ok
   Name Server: NS1.XZYDNS.COM
   Name Server: NS2.XZYDNS.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
 

The new server is called host.organissimo2.com. The old server, which is now turned off and gone, was called host.organissimo.org. I accidentally put .com in the new one and supposedly there is an actual site called www.organissimo2.com that is the source of all this. So for some reason we're getting our wires crossed, so to speak.

The DNS configuration at GoDaddy, which is my site registrar, are set correctly as far as I can tell. I'm wondering if the problem is the name of my server. Now that the old server is gone, I've asked if they can change the name of the new one to host.organissimo.org

Link to comment
Share on other sites

Glad to see that there's documentation supporting the logic behind this.

Back on now, but in the interim, I had the redirect thing. It seems to be an interim occurrence, although for me it's been mostly miss rather than hit.

Also, can I use "Dirk Vromans" as my secret spy name? Please?

fwiw - closed the window after the post above, tried getting back in a few minutes later, got the goodmayor.com block Closed the window, tried again a few minutes later, and voila, aqui estoy.

Link to comment
Share on other sites

They just changed the name of the server. It might take a while to propagate through the system, but it should fix the problem.

From LiquidWeb:

At this time it looks like you do not have ownership of the domain: organissimo2.com

This has allowed a 3rd party to register the domain and setup a malicious nameserver allowing the redirects to take place.

In a situation of changing servers we would normally recommend domain names like the following:

host.organissimo.org

to new server:

host2.organissimo.org

This would allow for the new server creation with domain names under your ownership.

I would recommend that we update the server hostname to host2.organissimo.org as well as set the nameserver GLU records to the following after we change the server hostname:

ns1.organissimo.org  67.225.241.38
ns2.organissimo.org  67.225.241.38

Please confirm and I will proceed.

Link to comment
Share on other sites

I was telling Jim on Facebook that I had to laugh at one of the redirect websites I got today. It was an official-looking "Microsoft Support" website with a serious voiceover telling me that my Windows computer has been compromised and I must immediately call their tech support number shown on the screen or I would be disconnected from the network.

I was seeing this while using my Linux/Ubuntu laptop. :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...