sort of OT: Linksys router blocking certain sites

Bryan O'Neal boneal at cornerstonehome.com
Sat Aug 1 23:27:55 MST 2009 

I am sure this is a stupid question, but have you flashed your router? Or
tried accessing on a different port? You may have a nat lock, though I have
never heard of one lasting through a power cycle on a Linksys, I would not
put it past it. Flashing (Or even doing a full factory reset) should clear
that.

On Sat, Aug 1, 2009 at 8:39 PM, Jason Hayes <jason at jasonhayes.org> wrote:

> On Saturday 01 August 2009 04:45:02 pm Lisa Kachold wrote:
> > On 8/1/09, Jason Hayes <jason at jasonhayes.org> wrote:
> > > Not sure why this is happening.
> > >
> > > My Linksys WRT54GS router just suddenly (yesterday a.m.) started
> blocking
> > > a group of sites that I administer. I was working on one of the sites
> and
> > > it started getting slower and slower, then finally cut out.
> >
> > Are you possibly locked out at that hosting provider?  Ask that they
> > "escalate your ticket" to the highest level you can to rule out system
> > firewall lockouts?
>
> Can't be that because if I bypass the router and plug my main computer
> directly into the Cox modem, I can access the sites without any problems.
> When
> I do that I can view the site and sign in as admin, add content, etc.
>
> > How are you accessing these sites?  Port 22?  VNC?  http/https through
> > auth processes?
>
> Nothing terribly complex -- Just http. These are simple drupal websites
> that I
> have set up for clients. I was working on a new theme for one of the
> websites
> (www.bonnydann.com), when the router started acting up.
>
> Also noticed that when I'm running through the Linksys router, I can log in
> to
> the ftp portion of the site for file uploads, etc. without any problems.
> I'm
> also getting email from the accounts on that hosting package. So I know it
> is
> just the web portion (http) that is acting up.
>
> > > I know the sites are working because if I plug straight into the modem,
> I
> > > can
> > > access them. (Also family in Canada can access them without any
> issues.)
> > > Also,
> > > the rest of the Internet is still out there - I can access pretty much
> > > any other site.
> >
> > So, you possibly can't get a new cox IP address but you can request
> > they verify you did not get into one of their traps?
> >
> > Let's look further:
> >
> > 1) Can you traceroute from the command line to the server?  If not
> > where does it fail?
>
> From the router Administration --> Diagnostics page on the WRT54GS, I can
> ping
> to the site, no packets lost
>
> PING bonnydann.com ( 66.116.193.208 ) : 56 data bytes
> 64 bytes from 66.116.193.208: icmp_seq=0, ttl=52 times=70. ms
> 64 bytes from 66.116.193.208: icmp_seq=1, ttl=52 times=70. ms
> 64 bytes from 66.116.193.208: icmp_seq=2, ttl=52 times=70. ms
> 64 bytes from 66.116.193.208: icmp_seq=3, ttl=52 times=70. ms
> 64 bytes from 66.116.193.208: icmp_seq=4, ttl=52 times=80. ms
> --- bonnydann.com ping statistics ---
> packets transmitted = 5 , packets received = 5 packet loss = 0%
> round-trip min/avg/max = 70/72/80
>
> Can also traceroute to the site
>
> traceroute to bonnydann.com (66.116.193.208) ,30 hops max,40 byte packet
> 1 10.35.128.1 (10.35.128.1) 10. 0 ms <10.0 ms <10.0 ms
> 2 68.2.1.253 (68.2.1.253) <10.0 ms <10.0 ms <10.0 ms
> 3 70.169.73.45 (70.169.73.45) 10. 0 ms 10. 0 ms <10.0 ms
> 4 68.1.0.165 (68.1.0.165) 10. 0 ms 10. 0 ms 10. 0 ms
> 5 4.69.133.34 (4.69.133.34) 10. 0 ms 10. 0 ms 10. 0 ms
> 6 4.69.133.38 (4.69.133.38) 20. 0 ms 30. 0 ms 20. 0 ms
> 7 4.69.144.138 (4.69.144.138) 20. 0 ms * 20. 0 ms
> 8 63.146.27.33 (63.146.27.33) 20. 0 ms 20. 0 ms 30. 0 ms
> 9 * * * Request timed out.
> 10 63.144.63.214 (63.144.63.214) 70. 0 ms 80. 0 ms 70. 0 ms
> 11 * * * Request timed out.
> 12 66.116.193.208 (66.116.193.208) 70. 0 ms 80. 0 ms 70. 0 ms
> Traceroute Complete.
>
> > 2) If you limit icmp, can you netcat trace to that port?
> > http://www.jfranken.de/homepages/johannes/vortraege/netcat.en.html
>
> Looking at his "querying webservers" section and using
>
> printf 'GET / HTTP/1.0\n\n'  | nc -w 10 www.bonnydann.com 80
>
> I get
>
> www.bonnydann.com [66.116.193.208] 80 (www) : Connection timed out
>
> When I unplug the WRT54GS and plug straight into the modem, I get
>
> HTTP/1.1 503
> Date: Sun, 02 Aug 2009 03:15:40 GMT
> Server: Apache
> Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
> Expires: Sun, 19 Nov 1978 05:00:00 GMT
> X-Powered-By: PHP/4.4.9
> Set-Cookie:
> SESSd41d8cd98f00b204e9800998ecf8427e=bfe600d5c18c137cd565b33c1be80cd0;
> expires=Tuesday, 25-Aug-09 06:49:00 GMT; path=/
> Cache-Control: max-age=1209600
> Expires: Sun, 16 Aug 2009 03:15:40 GMT
> Last-Modified: Sun, 02 Aug 2009 03:15:40 GMT
> Connection: close
> Content-Type: text/html; charset=utf-8
>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
>  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
> dir="ltr">
>  <head>
>
> and the rest of the main page, down to ...
>
>    </div> <!-- /container -->
>  </div>
> <!-- /layout -->
>
>  </body>
> </html>
>
> > http://www.textfiles.com/hacking/INTERNET/netcat.txt
> >
> > 3) Or nmap the server?
> >
> > # nmap -P0 servername
>
> Through the WRT54GS
>
> Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 19:09 MST
> Interesting ports on 66.116.193.208:
> Not shown: 999 closed ports
> PORT   STATE SERVICE
> 21/tcp open  ftp
>
> Nmap done: 1 IP address (1 host up) scanned in 41.80 seconds
>
> Pulling the WRT54GS out of the loop,
>
> Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 20:17 MST
> Interesting ports on 66.116.193.208:
> Not shown: 995 filtered ports
> PORT    STATE  SERVICE
> 20/tcp  closed ftp-data
> 21/tcp  open   ftp
> 80/tcp  open   http
> 443/tcp open   https
> 873/tcp closed rsync
>
> Nmap done: 1 IP address (1 host up) scanned in 22.29 seconds
>
> >
> > > I've talked with my hosting company and they swear up and down that
> > > nothing has changed and the sites are working as normal.
> >
> > Do you have cookies in place - clear your browser cookies?  Try another
> > browser?
> >
> > Netcat, traceroute and nmap will bypass the browser, but just in case...
>
> Have tried clearing the browser cache several times and have tried Kubuntu,
> Windows XP, and Windows Vista. For browsers, I've tried Firefox, IE 7 and
> 8,
> Konqueror, and Google Chrome.
>
> > Also did you change your dns server settings in your /etc/resolv.conf?
> > Check to make sure your nslookup is the same.
> >
> > Did you possibly setup a hosts file hack to work on a mock up of the
> > website and forget it on your own box?  Verify /etc/hosts file...
>
> Have not touched either the /etc/resolve.conf.
>
> No special hosts files, or anything like that.
>
> So I'm completely at a loss to explain why only a certain group of websites
> would be shut down by this router (that has been reset to factory defaults
> and
> has just had the latest firmware installed).
>
> Jason Hayes
>
>
>
> >
> > > While fighting with this, I've updated the firmware (to the latest
> > > version - V
> > > 7.2.06), reset all the settings to factory default, and re-set up my
> home
> > > network.
> >
> > Are other machines on your network doing the same thing?
> > Have someone come over and fire up their laptop to rule out XSS
> > plugins and other hacks?
> >
> > > Everything is fine except for those few websites. Anyone ever seen
> > > anything like this?
> > > --
> > > Jason Hayes
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090801/be0de064/attachment.htm

More information about the PLUG-discuss mailing list