On Saturday 01 August 2009 04:45:02 pm Lisa Kachold wrote: > On 8/1/09, Jason Hayes wrote: > > Not sure why this is happening. > > > > My Linksys WRT54GS router just suddenly (yesterday a.m.) started blocking > > a group of sites that I administer. I was working on one of the sites and > > it started getting slower and slower, then finally cut out. > > Are you possibly locked out at that hosting provider? Ask that they > "escalate your ticket" to the highest level you can to rule out system > firewall lockouts? Can't be that because if I bypass the router and plug my main computer directly into the Cox modem, I can access the sites without any problems. When I do that I can view the site and sign in as admin, add content, etc. > How are you accessing these sites? Port 22? VNC? http/https through > auth processes? Nothing terribly complex -- Just http. These are simple drupal websites that I have set up for clients. I was working on a new theme for one of the websites (www.bonnydann.com), when the router started acting up. Also noticed that when I'm running through the Linksys router, I can log in to the ftp portion of the site for file uploads, etc. without any problems. I'm also getting email from the accounts on that hosting package. So I know it is just the web portion (http) that is acting up. > > I know the sites are working because if I plug straight into the modem, I > > can > > access them. (Also family in Canada can access them without any issues.) > > Also, > > the rest of the Internet is still out there - I can access pretty much > > any other site. > > So, you possibly can't get a new cox IP address but you can request > they verify you did not get into one of their traps? > > Let's look further: > > 1) Can you traceroute from the command line to the server? If not > where does it fail? From the router Administration --> Diagnostics page on the WRT54GS, I can ping to the site, no packets lost PING bonnydann.com ( 66.116.193.208 ) : 56 data bytes 64 bytes from 66.116.193.208: icmp_seq=0, ttl=52 times=70. ms 64 bytes from 66.116.193.208: icmp_seq=1, ttl=52 times=70. ms 64 bytes from 66.116.193.208: icmp_seq=2, ttl=52 times=70. ms 64 bytes from 66.116.193.208: icmp_seq=3, ttl=52 times=70. ms 64 bytes from 66.116.193.208: icmp_seq=4, ttl=52 times=80. ms --- bonnydann.com ping statistics --- packets transmitted = 5 , packets received = 5 packet loss = 0% round-trip min/avg/max = 70/72/80 Can also traceroute to the site traceroute to bonnydann.com (66.116.193.208) ,30 hops max,40 byte packet 1 10.35.128.1 (10.35.128.1) 10. 0 ms <10.0 ms <10.0 ms 2 68.2.1.253 (68.2.1.253) <10.0 ms <10.0 ms <10.0 ms 3 70.169.73.45 (70.169.73.45) 10. 0 ms 10. 0 ms <10.0 ms 4 68.1.0.165 (68.1.0.165) 10. 0 ms 10. 0 ms 10. 0 ms 5 4.69.133.34 (4.69.133.34) 10. 0 ms 10. 0 ms 10. 0 ms 6 4.69.133.38 (4.69.133.38) 20. 0 ms 30. 0 ms 20. 0 ms 7 4.69.144.138 (4.69.144.138) 20. 0 ms * 20. 0 ms 8 63.146.27.33 (63.146.27.33) 20. 0 ms 20. 0 ms 30. 0 ms 9 * * * Request timed out. 10 63.144.63.214 (63.144.63.214) 70. 0 ms 80. 0 ms 70. 0 ms 11 * * * Request timed out. 12 66.116.193.208 (66.116.193.208) 70. 0 ms 80. 0 ms 70. 0 ms Traceroute Complete. > 2) If you limit icmp, can you netcat trace to that port? > http://www.jfranken.de/homepages/johannes/vortraege/netcat.en.html Looking at his "querying webservers" section and using printf 'GET / HTTP/1.0\n\n' | nc -w 10 www.bonnydann.com 80 I get www.bonnydann.com [66.116.193.208] 80 (www) : Connection timed out When I unplug the WRT54GS and plug straight into the modem, I get HTTP/1.1 503 Date: Sun, 02 Aug 2009 03:15:40 GMT Server: Apache Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Sun, 19 Nov 1978 05:00:00 GMT X-Powered-By: PHP/4.4.9 Set-Cookie: SESSd41d8cd98f00b204e9800998ecf8427e=bfe600d5c18c137cd565b33c1be80cd0; expires=Tuesday, 25-Aug-09 06:49:00 GMT; path=/ Cache-Control: max-age=1209600 Expires: Sun, 16 Aug 2009 03:15:40 GMT Last-Modified: Sun, 02 Aug 2009 03:15:40 GMT Connection: close Content-Type: text/html; charset=utf-8 and the rest of the main page, down to ... > http://www.textfiles.com/hacking/INTERNET/netcat.txt > > 3) Or nmap the server? > > # nmap -P0 servername Through the WRT54GS Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 19:09 MST Interesting ports on 66.116.193.208: Not shown: 999 closed ports PORT STATE SERVICE 21/tcp open ftp Nmap done: 1 IP address (1 host up) scanned in 41.80 seconds Pulling the WRT54GS out of the loop, Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 20:17 MST Interesting ports on 66.116.193.208: Not shown: 995 filtered ports PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 80/tcp open http 443/tcp open https 873/tcp closed rsync Nmap done: 1 IP address (1 host up) scanned in 22.29 seconds > > > I've talked with my hosting company and they swear up and down that > > nothing has changed and the sites are working as normal. > > Do you have cookies in place - clear your browser cookies? Try another > browser? > > Netcat, traceroute and nmap will bypass the browser, but just in case... Have tried clearing the browser cache several times and have tried Kubuntu, Windows XP, and Windows Vista. For browsers, I've tried Firefox, IE 7 and 8, Konqueror, and Google Chrome. > Also did you change your dns server settings in your /etc/resolv.conf? > Check to make sure your nslookup is the same. > > Did you possibly setup a hosts file hack to work on a mock up of the > website and forget it on your own box? Verify /etc/hosts file... Have not touched either the /etc/resolve.conf. No special hosts files, or anything like that. So I'm completely at a loss to explain why only a certain group of websites would be shut down by this router (that has been reset to factory defaults and has just had the latest firmware installed). Jason Hayes > > > While fighting with this, I've updated the firmware (to the latest > > version - V > > 7.2.06), reset all the settings to factory default, and re-set up my home > > network. > > Are other machines on your network doing the same thing? > Have someone come over and fire up their laptop to rule out XSS > plugins and other hacks? > > > Everything is fine except for those few websites. Anyone ever seen > > anything like this? > > -- > > Jason Hayes --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss