On Saturday 01 August 2009 04:45:02 pm Lisa Kachold wrote:
> On 8/1/09, Jason Hayes <jason@jasonhayes.org> wrote:
> > Not sure why this is happening.
> >
> > My Linksys WRT54GS router just suddenly (yesterday a.m.) started blocking
> > a group of sites that I administer. I was working on one of the sites and
> > it started getting slower and slower, then finally cut out.
>
> Are you possibly locked out at that hosting provider?  Ask that they
> "escalate your ticket" to the highest level you can to rule out system
> firewall lockouts?

Can't be that because if I bypass the router and plug my main computer 
directly into the Cox modem, I can access the sites without any problems. When 
I do that I can view the site and sign in as admin, add content, etc.

> How are you accessing these sites?  Port 22?  VNC?  http/https through
> auth processes?

Nothing terribly complex -- Just http. These are simple drupal websites that I 
have set up for clients. I was working on a new theme for one of the websites 
(www.bonnydann.com), when the router started acting up.

Also noticed that when I'm running through the Linksys router, I can log in to 
the ftp portion of the site for file uploads, etc. without any problems. I'm 
also getting email from the accounts on that hosting package. So I know it is 
just the web portion (http) that is acting up.

> > I know the sites are working because if I plug straight into the modem, I
> > can
> > access them. (Also family in Canada can access them without any issues.)
> > Also,
> > the rest of the Internet is still out there - I can access pretty much
> > any other site.
>
> So, you possibly can't get a new cox IP address but you can request
> they verify you did not get into one of their traps?
>
> Let's look further:
>
> 1) Can you traceroute from the command line to the server?  If not
> where does it fail?

From the router Administration --> Diagnostics page on the WRT54GS, I can ping 
to the site, no packets lost

PING bonnydann.com ( 66.116.193.208 ) : 56 data bytes
64 bytes from 66.116.193.208: icmp_seq=0, ttl=52 times=70. ms
64 bytes from 66.116.193.208: icmp_seq=1, ttl=52 times=70. ms
64 bytes from 66.116.193.208: icmp_seq=2, ttl=52 times=70. ms
64 bytes from 66.116.193.208: icmp_seq=3, ttl=52 times=70. ms
64 bytes from 66.116.193.208: icmp_seq=4, ttl=52 times=80. ms
--- bonnydann.com ping statistics ---
packets transmitted = 5 , packets received = 5 packet loss = 0%
round-trip min/avg/max = 70/72/80

Can also traceroute to the site

traceroute to bonnydann.com (66.116.193.208) ,30 hops max,40 byte packet
1 10.35.128.1 (10.35.128.1) 10. 0 ms <10.0 ms <10.0 ms
2 68.2.1.253 (68.2.1.253) <10.0 ms <10.0 ms <10.0 ms
3 70.169.73.45 (70.169.73.45) 10. 0 ms 10. 0 ms <10.0 ms
4 68.1.0.165 (68.1.0.165) 10. 0 ms 10. 0 ms 10. 0 ms
5 4.69.133.34 (4.69.133.34) 10. 0 ms 10. 0 ms 10. 0 ms
6 4.69.133.38 (4.69.133.38) 20. 0 ms 30. 0 ms 20. 0 ms
7 4.69.144.138 (4.69.144.138) 20. 0 ms * 20. 0 ms
8 63.146.27.33 (63.146.27.33) 20. 0 ms 20. 0 ms 30. 0 ms
9 * * * Request timed out.
10 63.144.63.214 (63.144.63.214) 70. 0 ms 80. 0 ms 70. 0 ms
11 * * * Request timed out.
12 66.116.193.208 (66.116.193.208) 70. 0 ms 80. 0 ms 70. 0 ms
Traceroute Complete.

> 2) If you limit icmp, can you netcat trace to that port?
> http://www.jfranken.de/homepages/johannes/vortraege/netcat.en.html

Looking at his "querying webservers" section and using 

printf 'GET / HTTP/1.0\n\n'  | nc -w 10 www.bonnydann.com 80

I get 

www.bonnydann.com [66.116.193.208] 80 (www) : Connection timed out

When I unplug the WRT54GS and plug straight into the modem, I get

HTTP/1.1 503                                                            
Date: Sun, 02 Aug 2009 03:15:40 GMT                                     
Server: Apache                                                          
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT                                    
X-Powered-By: PHP/4.4.9                                                   
Set-Cookie: 
SESSd41d8cd98f00b204e9800998ecf8427e=bfe600d5c18c137cd565b33c1be80cd0; 
expires=Tuesday, 25-Aug-09 06:49:00 GMT; path=/                              
Cache-Control: max-age=1209600                                                  
Expires: Sun, 16 Aug 2009 03:15:40 GMT                                          
Last-Modified: Sun, 02 Aug 2009 03:15:40 GMT                                    
Connection: close                                                               
Content-Type: text/html; charset=utf-8                                          

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
  <head>                                                 

and the rest of the main page, down to ...

    </div> <!-- /container -->
  </div>
<!-- /layout -->

  </body>
</html>

> http://www.textfiles.com/hacking/INTERNET/netcat.txt
>
> 3) Or nmap the server?
>
> # nmap -P0 servername

Through the WRT54GS

Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 19:09 MST
Interesting ports on 66.116.193.208:
Not shown: 999 closed ports
PORT   STATE SERVICE
21/tcp open  ftp

Nmap done: 1 IP address (1 host up) scanned in 41.80 seconds

Pulling the WRT54GS out of the loop,

Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 20:17 MST
Interesting ports on 66.116.193.208:
Not shown: 995 filtered ports
PORT    STATE  SERVICE
20/tcp  closed ftp-data
21/tcp  open   ftp
80/tcp  open   http
443/tcp open   https
873/tcp closed rsync

Nmap done: 1 IP address (1 host up) scanned in 22.29 seconds

>
> > I've talked with my hosting company and they swear up and down that
> > nothing has changed and the sites are working as normal.
>
> Do you have cookies in place - clear your browser cookies?  Try another
> browser?
>
> Netcat, traceroute and nmap will bypass the browser, but just in case...

Have tried clearing the browser cache several times and have tried Kubuntu, 
Windows XP, and Windows Vista. For browsers, I've tried Firefox, IE 7 and 8, 
Konqueror, and Google Chrome.

> Also did you change your dns server settings in your /etc/resolv.conf?
> Check to make sure your nslookup is the same.
>
> Did you possibly setup a hosts file hack to work on a mock up of the
> website and forget it on your own box?  Verify /etc/hosts file...

Have not touched either the /etc/resolve.conf.

No special hosts files, or anything like that.

So I'm completely at a loss to explain why only a certain group of websites 
would be shut down by this router (that has been reset to factory defaults and 
has just had the latest firmware installed).

Jason Hayes



>
> > While fighting with this, I've updated the firmware (to the latest
> > version - V
> > 7.2.06), reset all the settings to factory default, and re-set up my home
> > network.
>
> Are other machines on your network doing the same thing?
> Have someone come over and fire up their laptop to rule out XSS
> plugins and other hacks?
>
> > Everything is fine except for those few websites. Anyone ever seen
> > anything like this?
> > --
> > Jason Hayes


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss