sort of OT: Linksys router blocking certain sites

Lisa Kachold lisakachold at obnosis.com
Sun Aug 2 14:43:28 MST 2009 

Wait!

You rebuilt that Linksys firmware?

Did you reset it completely first?

I suggest you were pwnd.  (Like a great many of us are!)

I have the pond scum get into my stuff regularly and endure them until
I get around to flushing them rebuilding.

One or two I cooperate to trap, track, report, and jail (with NSA and
local authorities, via coordination with telecom/cable; companies that
investigate like google, godaddy, and banks).

Other sick stalker types, I endure (because they are really young) [for awhile].

I suggest you get that image and use a binary hex editor to determine
where it's going and what is on it?

Call me I will help!


On 8/2/09, Jason Hayes <jason at jasonhayes.org> wrote:
>
> I guess that this must be a Linksys thing then. Everything works fine for a
> few
> years and then it digs in its heels and refuses to load the site(s) that you
> have to be able to access.
>
> No solutions for the Linksys router, but I had a D-Link WBR-1310 sitting in
> a
> box new and unused here at home. I fired it up and, at least at first blush,
> everything seems to be back to normal. The sites are loading (a little slow,
> but they're loading.)
>
> No idea what caused that problem.
>
> Thanks to everyone who commented!
>
> Jason
>
>
> On Sunday 02 August 2009 09:58:11 am Steve Phariss wrote:
>> I had an old Linksys wired router that was acting the same way.  I was
>> able
>> to access all sites I tried, but one (the web site was was actively
>> working
>> on)  I could access from a direct connect to the modem, but not from the
>> router.  I had Cox reset my modem, I even had them reprovision me and
>> assign a new IP but nothing worked (hmmm now that I think about it, the
>> reprovision MAY have worked for a couple times, don;t remember).  On the
>> router side I reflashed the firmware, and moved the ports I was using.  I
>> even reloaded my network drivers on the PC.  I eventually got a new router
>> and all was well again.  the funny thing was I could access the other
>> domain on hte same host (used bluehost.com with several domains attached)
>>
>>
>> I do not remember if I could connect using the IP, may not have even
>> tried.
>>
>> On Sat, Aug 1, 2009 at 11:27 PM, Bryan O'Neal
> <boneal at cornerstonehome.com>wrote:
>> > I am sure this is a stupid question, but have you flashed your router?
>> > Or
>> > tried accessing on a different port? You may have a nat lock, though I
>> > have never heard of one lasting through a power cycle on a Linksys, I
>> > would not put it past it. Flashing (Or even doing a full factory reset)
>> > should clear that.
>> >
>> > On Sat, Aug 1, 2009 at 8:39 PM, Jason Hayes <jason at jasonhayes.org>
>> > wrote:
>> >> On Saturday 01 August 2009 04:45:02 pm Lisa Kachold wrote:
>> >> > On 8/1/09, Jason Hayes <jason at jasonhayes.org> wrote:
>> >> > > Not sure why this is happening.
>> >> > >
>> >> > > My Linksys WRT54GS router just suddenly (yesterday a.m.) started
>> >>
>> >> blocking
>> >>
>> >> > > a group of sites that I administer. I was working on one of the
>> >> > > sites
>> >>
>> >> and
>> >>
>> >> > > it started getting slower and slower, then finally cut out.
>> >> >
>> >> > Are you possibly locked out at that hosting provider?  Ask that they
>> >> > "escalate your ticket" to the highest level you can to rule out
>> >> > system
>> >> > firewall lockouts?
>> >>
>> >> Can't be that because if I bypass the router and plug my main computer
>> >> directly into the Cox modem, I can access the sites without any
>> >> problems. When
>> >> I do that I can view the site and sign in as admin, add content, etc.
>> >>
>> >> > How are you accessing these sites?  Port 22?  VNC?  http/https
>> >> > through
>> >> > auth processes?
>> >>
>> >> Nothing terribly complex -- Just http. These are simple drupal websites
>> >> that I
>> >> have set up for clients. I was working on a new theme for one of the
>> >> websites
>> >> (www.bonnydann.com), when the router started acting up.
>> >>
>> >> Also noticed that when I'm running through the Linksys router, I can
>> >> log
>> >> in to
>> >> the ftp portion of the site for file uploads, etc. without any
>> >> problems.
>> >> I'm
>> >> also getting email from the accounts on that hosting package. So I know
>> >> it is
>> >> just the web portion (http) that is acting up.
>> >>
>> >> > > I know the sites are working because if I plug straight into the
>> >>
>> >> modem, I
>> >>
>> >> > > can
>> >> > > access them. (Also family in Canada can access them without any
>> >>
>> >> issues.)
>> >>
>> >> > > Also,
>> >> > > the rest of the Internet is still out there - I can access pretty
>> >> > > much any other site.
>> >> >
>> >> > So, you possibly can't get a new cox IP address but you can request
>> >> > they verify you did not get into one of their traps?
>> >> >
>> >> > Let's look further:
>> >> >
>> >> > 1) Can you traceroute from the command line to the server?  If not
>> >> > where does it fail?
>> >>
>> >> From the router Administration --> Diagnostics page on the WRT54GS, I
>> >> can ping
>> >> to the site, no packets lost
>> >>
>> >> PING bonnydann.com ( 66.116.193.208 ) : 56 data bytes
>> >> 64 bytes from 66.116.193.208: icmp_seq=0, ttl=52 times=70. ms
>> >> 64 bytes from 66.116.193.208: icmp_seq=1, ttl=52 times=70. ms
>> >> 64 bytes from 66.116.193.208: icmp_seq=2, ttl=52 times=70. ms
>> >> 64 bytes from 66.116.193.208: icmp_seq=3, ttl=52 times=70. ms
>> >> 64 bytes from 66.116.193.208: icmp_seq=4, ttl=52 times=80. ms
>> >> --- bonnydann.com ping statistics ---
>> >> packets transmitted = 5 , packets received = 5 packet loss = 0%
>> >> round-trip min/avg/max = 70/72/80
>> >>
>> >> Can also traceroute to the site
>> >>
>> >> traceroute to bonnydann.com (66.116.193.208) ,30 hops max,40 byte
>> >> packet
>> >> 1 10.35.128.1 (10.35.128.1) 10. 0 ms <10.0 ms <10.0 ms
>> >> 2 68.2.1.253 (68.2.1.253) <10.0 ms <10.0 ms <10.0 ms
>> >> 3 70.169.73.45 (70.169.73.45) 10. 0 ms 10. 0 ms <10.0 ms
>> >> 4 68.1.0.165 (68.1.0.165) 10. 0 ms 10. 0 ms 10. 0 ms
>> >> 5 4.69.133.34 (4.69.133.34) 10. 0 ms 10. 0 ms 10. 0 ms
>> >> 6 4.69.133.38 (4.69.133.38) 20. 0 ms 30. 0 ms 20. 0 ms
>> >> 7 4.69.144.138 (4.69.144.138) 20. 0 ms * 20. 0 ms
>> >> 8 63.146.27.33 (63.146.27.33) 20. 0 ms 20. 0 ms 30. 0 ms
>> >> 9 * * * Request timed out.
>> >> 10 63.144.63.214 (63.144.63.214) 70. 0 ms 80. 0 ms 70. 0 ms
>> >> 11 * * * Request timed out.
>> >> 12 66.116.193.208 (66.116.193.208) 70. 0 ms 80. 0 ms 70. 0 ms
>> >> Traceroute Complete.
>> >>
>> >> > 2) If you limit icmp, can you netcat trace to that port?
>> >> > http://www.jfranken.de/homepages/johannes/vortraege/netcat.en.html
>> >>
>> >> Looking at his "querying webservers" section and using
>> >>
>> >> printf 'GET / HTTP/1.0\n\n'  | nc -w 10 www.bonnydann.com 80
>> >>
>> >> I get
>> >>
>> >> www.bonnydann.com [66.116.193.208] 80 (www) : Connection timed out
>> >>
>> >> When I unplug the WRT54GS and plug straight into the modem, I get
>> >>
>> >> HTTP/1.1 503
>> >> Date: Sun, 02 Aug 2009 03:15:40 GMT
>> >> Server: Apache
>> >> Cache-Control: store, no-cache, must-revalidate, post-check=0,
>> >> pre-check=0 Expires: Sun, 19 Nov 1978 05:00:00 GMT
>> >> X-Powered-By: PHP/4.4.9
>> >> Set-Cookie:
>> >> SESSd41d8cd98f00b204e9800998ecf8427e=bfe600d5c18c137cd565b33c1be80cd0;
>> >> expires=Tuesday, 25-Aug-09 06:49:00 GMT; path=/
>> >> Cache-Control: max-age=1209600
>> >> Expires: Sun, 16 Aug 2009 03:15:40 GMT
>> >> Last-Modified: Sun, 02 Aug 2009 03:15:40 GMT
>> >> Connection: close
>> >> Content-Type: text/html; charset=utf-8
>> >>
>> >> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
>> >>  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
>> >> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>> >> dir="ltr">
>> >>  <head>
>> >>
>> >> and the rest of the main page, down to ...
>> >>
>> >>    </div> <!-- /container -->
>> >>  </div>
>> >> <!-- /layout -->
>> >>
>> >>  </body>
>> >> </html>
>> >>
>> >> > http://www.textfiles.com/hacking/INTERNET/netcat.txt
>> >> >
>> >> > 3) Or nmap the server?
>> >> >
>> >> > # nmap -P0 servername
>> >>
>> >> Through the WRT54GS
>> >>
>> >> Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 19:09 MST
>> >> Interesting ports on 66.116.193.208:
>> >> Not shown: 999 closed ports
>> >> PORT   STATE SERVICE
>> >> 21/tcp open  ftp
>> >>
>> >> Nmap done: 1 IP address (1 host up) scanned in 41.80 seconds
>> >>
>> >> Pulling the WRT54GS out of the loop,
>> >>
>> >> Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 20:17 MST
>> >> Interesting ports on 66.116.193.208:
>> >> Not shown: 995 filtered ports
>> >> PORT    STATE  SERVICE
>> >> 20/tcp  closed ftp-data
>> >> 21/tcp  open   ftp
>> >> 80/tcp  open   http
>> >> 443/tcp open   https
>> >> 873/tcp closed rsync
>> >>
>> >> Nmap done: 1 IP address (1 host up) scanned in 22.29 seconds
>> >>
>> >> > > I've talked with my hosting company and they swear up and down that
>> >> > > nothing has changed and the sites are working as normal.
>> >> >
>> >> > Do you have cookies in place - clear your browser cookies?  Try
>> >> > another browser?
>> >> >
>> >> > Netcat, traceroute and nmap will bypass the browser, but just in
>> >> > case...
>> >>
>> >> Have tried clearing the browser cache several times and have tried
>> >> Kubuntu,
>> >> Windows XP, and Windows Vista. For browsers, I've tried Firefox, IE 7
>> >> and 8,
>> >> Konqueror, and Google Chrome.
>> >>
>> >> > Also did you change your dns server settings in your
>> >> > /etc/resolv.conf?
>> >> > Check to make sure your nslookup is the same.
>> >> >
>> >> > Did you possibly setup a hosts file hack to work on a mock up of the
>> >> > website and forget it on your own box?  Verify /etc/hosts file...
>> >>
>> >> Have not touched either the /etc/resolve.conf.
>> >>
>> >> No special hosts files, or anything like that.
>> >>
>> >> So I'm completely at a loss to explain why only a certain group of
>> >> websites
>> >> would be shut down by this router (that has been reset to factory
>> >> defaults and
>> >> has just had the latest firmware installed).
>> >>
>> >> Jason Hayes
>> >>
>> >> > > While fighting with this, I've updated the firmware (to the latest
>> >> > > version - V
>> >> > > 7.2.06), reset all the settings to factory default, and re-set up
>> >> > > my
>> >>
>> >> home
>> >>
>> >> > > network.
>> >> >
>> >> > Are other machines on your network doing the same thing?
>> >> > Have someone come over and fire up their laptop to rule out XSS
>> >> > plugins and other hacks?
>> >> >
>> >> > > Everything is fine except for those few websites. Anyone ever seen
>> >> > > anything like this?
>> >> > > --
>> >> > > Jason Hayes
>> >>
>> >> ---------------------------------------------------
>> >> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> >> To subscribe, unsubscribe, or to change your mail settings:
>> >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>> >
>> > ---------------------------------------------------
>> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> > To subscribe, unsubscribe, or to change your mail settings:
>> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>


-- 
http://linuxgazette.net/165/kachold.html
(623)239-3392
(503)754-4452 www.obnosis.com

More information about the PLUG-discuss mailing list