Some more on this:
http://www.slashdot.org and
http://www.hackerthreads.org were returning an "Invalid URL. The requested URL "/", is invalid." error. Again, this is odd behaviour: two separate websites giving the same bullshit error?
So I closed all running network apps and opened wireshark. I then refreshed
http://www.hackerthreads.org to capture the traffic in wireshark, and this is what I got:
Code: Select all
91 121.310596 192.168.3.84 144.135.8.169 TCP 57166 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=25571630 TSER=0 WS=6
92 121.327908 144.135.8.169 192.168.3.84 TCP http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=1
93 121.327949 192.168.3.84 144.135.8.169 TCP 57166 > http [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=25571634 TSER=2164566342
94 121.390786 192.168.3.84 144.135.8.169 HTTP GET / HTTP/1.1
95 121.429168 144.135.8.169 192.168.3.84 TCP http > 57166 [ACK] Seq=1 Ack=647 Win=6460 Len=0 TSV=2164566443 TSER=25571650
96 121.432114 144.135.8.169 192.168.3.84 HTTP HTTP/1.0 400 Bad Request (text/html)
97 121.432129 192.168.3.84 144.135.8.169 TCP 57166 > http [ACK] Seq=647 Ack=405 Win=6912 Len=0 TSV=25571660 TSER=2164566443
92 121.327908 144.135.8.169 192.168.3.84 TCP http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=192 121.327908 144.135.8.169 192.168.3.84 TCP http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=1
92 121.327908 144.135.8.169 192.168.3.84 TCP http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=1
92 121.327908 144.135.8.169 192.168.3.84 TCP http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=1
92 121.327908 144.135.8.169 192.168.3.84 TCP http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=1
After a few minutes and a couple of refreshes in Firefox,
http://www.hackerthreads.org loaded properly. I pinged
http://www.hackerthreads.org and verified that the IP address doesn't match what's been captured in wireshark. So, who the F*** is 144.135.8.169? Wireshark says "Server: AkamaiGhost", but I wanted more info.
I did a traceroute of 144.135.8.169:
Code: Select all
v0ide@hackedpackard:~$ traceroute 144.135.8.169
traceroute to 144.135.8.169 (144.135.8.169), 30 hops max, 60 byte packets
1 mygateway1.ar7
2 * * *
3 10.0.1.33 (10.0.1.33)
4 46.2.233.220.static.exetel.com.au (220.233.2.46)
5 37.2.233.220.static.exetel.com.au (220.233.2.37)
6 119.225.5.245 (119.225.5.245)
7 10.251.24.2 (10.251.24.2)
8 GigabitEthernet1-4.ken12.Sydney.telstra.net (139.130.65.145)
9 TenGigE0-1-0-2.chw-core2.Sydney.telstra.net (203.50.19.129)
10 TenGigabitEthernet8-1.pic2.Sydney.telstra.net (203.50.20.185)
11 akamai1.lnk.telstra.net (203.45.29.78)
12 144.135.8.169 (144.135.8.169)
Is it coincidence that this "akamai" pops up again?
Just for the sake of it, I port scanned 144.135.8.169:
Code: Select all
Host 144.135.8.169 is up (0.016s latency).
Interesting ports on 144.135.8.169:
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
500/tcp open isakmp
1720/tcp filtered H.323/Q.931
9000/tcp open cslistener
9001/tcp open tor-orport
9050/tcp open tor-socks
And for the sake of it, I SSH'd to it:
Code: Select all
v0ide@hackedpackard:~$ ssh 144.135.8.169
Permission denied (publickey).
And just because I wanted to try it, I installed Nessus 4 and ran a scan on 144.135.8.169. The only interesting info was about the https certificate:
Code: Select all
Country: US
Organization: Akamai Technologies, Inc.
Common Name: a248.e.akamai.net
Issuer Name:
Country: US
Organization: GTE Corporation
Organization Unit: GTE CyberTrust Solutions, Inc.
Common Name: GTE CyberTrust Global Root
Notice the Common Name is one I mentioned in a previous post when trying to connect to a completely separate website from HTd0rg or /.
So back to my main problem: why was
http://www.hackerthreads.org redirected to 144.135.8.169? Is this a DNS attack? If so, why is it apparently random which sites are affected, when they're affected, and for how long they're affected? If it's not DNS, then what is it?
I'm happy to hand over the saved wireshark capture if anyone wants to look at it.
My effort to help you will never exceed your effort to explain the problem.