sort of OT: Linksys router blocking certain sites
Jason Hayes
jason at jasonhayes.org
Sat Aug 1 20:39:18 MST 2009
On Saturday 01 August 2009 04:45:02 pm Lisa Kachold wrote:
> On 8/1/09, Jason Hayes <jason at jasonhayes.org> wrote:
> > Not sure why this is happening.
> >
> > My Linksys WRT54GS router just suddenly (yesterday a.m.) started blocking
> > a group of sites that I administer. I was working on one of the sites and
> > it started getting slower and slower, then finally cut out.
>
> Are you possibly locked out at that hosting provider? Ask that they
> "escalate your ticket" to the highest level you can to rule out system
> firewall lockouts?
Can't be that because if I bypass the router and plug my main computer
directly into the Cox modem, I can access the sites without any problems. When
I do that I can view the site and sign in as admin, add content, etc.
> How are you accessing these sites? Port 22? VNC? http/https through
> auth processes?
Nothing terribly complex -- Just http. These are simple drupal websites that I
have set up for clients. I was working on a new theme for one of the websites
(www.bonnydann.com), when the router started acting up.
Also noticed that when I'm running through the Linksys router, I can log in to
the ftp portion of the site for file uploads, etc. without any problems. I'm
also getting email from the accounts on that hosting package. So I know it is
just the web portion (http) that is acting up.
> > I know the sites are working because if I plug straight into the modem, I
> > can
> > access them. (Also family in Canada can access them without any issues.)
> > Also,
> > the rest of the Internet is still out there - I can access pretty much
> > any other site.
>
> So, you possibly can't get a new cox IP address but you can request
> they verify you did not get into one of their traps?
>
> Let's look further:
>
> 1) Can you traceroute from the command line to the server? If not
> where does it fail?
From the router Administration --> Diagnostics page on the WRT54GS, I can ping
to the site, no packets lost
PING bonnydann.com ( 66.116.193.208 ) : 56 data bytes
64 bytes from 66.116.193.208: icmp_seq=0, ttl=52 times=70. ms
64 bytes from 66.116.193.208: icmp_seq=1, ttl=52 times=70. ms
64 bytes from 66.116.193.208: icmp_seq=2, ttl=52 times=70. ms
64 bytes from 66.116.193.208: icmp_seq=3, ttl=52 times=70. ms
64 bytes from 66.116.193.208: icmp_seq=4, ttl=52 times=80. ms
--- bonnydann.com ping statistics ---
packets transmitted = 5 , packets received = 5 packet loss = 0%
round-trip min/avg/max = 70/72/80
Can also traceroute to the site
traceroute to bonnydann.com (66.116.193.208) ,30 hops max,40 byte packet
1 10.35.128.1 (10.35.128.1) 10. 0 ms <10.0 ms <10.0 ms
2 68.2.1.253 (68.2.1.253) <10.0 ms <10.0 ms <10.0 ms
3 70.169.73.45 (70.169.73.45) 10. 0 ms 10. 0 ms <10.0 ms
4 68.1.0.165 (68.1.0.165) 10. 0 ms 10. 0 ms 10. 0 ms
5 4.69.133.34 (4.69.133.34) 10. 0 ms 10. 0 ms 10. 0 ms
6 4.69.133.38 (4.69.133.38) 20. 0 ms 30. 0 ms 20. 0 ms
7 4.69.144.138 (4.69.144.138) 20. 0 ms * 20. 0 ms
8 63.146.27.33 (63.146.27.33) 20. 0 ms 20. 0 ms 30. 0 ms
9 * * * Request timed out.
10 63.144.63.214 (63.144.63.214) 70. 0 ms 80. 0 ms 70. 0 ms
11 * * * Request timed out.
12 66.116.193.208 (66.116.193.208) 70. 0 ms 80. 0 ms 70. 0 ms
Traceroute Complete.
> 2) If you limit icmp, can you netcat trace to that port?
> http://www.jfranken.de/homepages/johannes/vortraege/netcat.en.html
Looking at his "querying webservers" section and using
printf 'GET / HTTP/1.0\n\n' | nc -w 10 www.bonnydann.com 80
I get
www.bonnydann.com [66.116.193.208] 80 (www) : Connection timed out
When I unplug the WRT54GS and plug straight into the modem, I get
HTTP/1.1 503
Date: Sun, 02 Aug 2009 03:15:40 GMT
Server: Apache
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
X-Powered-By: PHP/4.4.9
Set-Cookie:
SESSd41d8cd98f00b204e9800998ecf8427e=bfe600d5c18c137cd565b33c1be80cd0;
expires=Tuesday, 25-Aug-09 06:49:00 GMT; path=/
Cache-Control: max-age=1209600
Expires: Sun, 16 Aug 2009 03:15:40 GMT
Last-Modified: Sun, 02 Aug 2009 03:15:40 GMT
Connection: close
Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
and the rest of the main page, down to ...
</div> <!-- /container -->
</div>
<!-- /layout -->
</body>
</html>
> http://www.textfiles.com/hacking/INTERNET/netcat.txt
>
> 3) Or nmap the server?
>
> # nmap -P0 servername
Through the WRT54GS
Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 19:09 MST
Interesting ports on 66.116.193.208:
Not shown: 999 closed ports
PORT STATE SERVICE
21/tcp open ftp
Nmap done: 1 IP address (1 host up) scanned in 41.80 seconds
Pulling the WRT54GS out of the loop,
Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 20:17 MST
Interesting ports on 66.116.193.208:
Not shown: 995 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
80/tcp open http
443/tcp open https
873/tcp closed rsync
Nmap done: 1 IP address (1 host up) scanned in 22.29 seconds
>
> > I've talked with my hosting company and they swear up and down that
> > nothing has changed and the sites are working as normal.
>
> Do you have cookies in place - clear your browser cookies? Try another
> browser?
>
> Netcat, traceroute and nmap will bypass the browser, but just in case...
Have tried clearing the browser cache several times and have tried Kubuntu,
Windows XP, and Windows Vista. For browsers, I've tried Firefox, IE 7 and 8,
Konqueror, and Google Chrome.
> Also did you change your dns server settings in your /etc/resolv.conf?
> Check to make sure your nslookup is the same.
>
> Did you possibly setup a hosts file hack to work on a mock up of the
> website and forget it on your own box? Verify /etc/hosts file...
Have not touched either the /etc/resolve.conf.
No special hosts files, or anything like that.
So I'm completely at a loss to explain why only a certain group of websites
would be shut down by this router (that has been reset to factory defaults and
has just had the latest firmware installed).
Jason Hayes
>
> > While fighting with this, I've updated the firmware (to the latest
> > version - V
> > 7.2.06), reset all the settings to factory default, and re-set up my home
> > network.
>
> Are other machines on your network doing the same thing?
> Have someone come over and fire up their laptop to rule out XSS
> plugins and other hacks?
>
> > Everything is fine except for those few websites. Anyone ever seen
> > anything like this?
> > --
> > Jason Hayes
More information about the PLUG-discuss
mailing list