sort of OT: Linksys router blocking certain sites
Jason Hayes
jason at jasonhayes.org
Tue Aug 18 11:49:54 MST 2009
Njorl's saga continues two weeks later -- with somewhat less violence, but
about the same trouble getting the story finished.
The D-Link router wasn't up to the task - constant resets and hassles keeping
the wireless connected. So, I was all ready to go out and buy a new router and
thought, I'd give the old Linksys another go, just to see what would happen.
All's well. No problems with blocked sites ... I have no idea why it works
now.
Jason
On Monday 03 August 2009 06:15:19 pm Steve Phariss wrote:
> I was kind of suspecting the routing tables might be stored in the flash
> chip and suffered from bit rot. When I was having the problem I had a bit
> less knowledge/experience then I do now.
>
> On Sun, Aug 2, 2009 at 12:07 PM, Jason Hayes <jason at jasonhayes.org> wrote:
> > I guess that this must be a Linksys thing then. Everything works fine for
> > a few
> > years and then it digs in its heels and refuses to load the site(s) that
> > you
> > have to be able to access.
> >
> > No solutions for the Linksys router, but I had a D-Link WBR-1310 sitting
> > in a
> > box new and unused here at home. I fired it up and, at least at first
> > blush,
> > everything seems to be back to normal. The sites are loading (a little
> > slow,
> > but they're loading.)
> >
> > No idea what caused that problem.
> >
> > Thanks to everyone who commented!
> >
> > Jason
> >
> > On Sunday 02 August 2009 09:58:11 am Steve Phariss wrote:
> > > I had an old Linksys wired router that was acting the same way. I was
> >
> > able
> >
> > > to access all sites I tried, but one (the web site was was actively
> >
> > working
> >
> > > on) I could access from a direct connect to the modem, but not from
> > > the router. I had Cox reset my modem, I even had them reprovision me
> > > and assign a new IP but nothing worked (hmmm now that I think about it,
> > > the reprovision MAY have worked for a couple times, don;t remember).
> > > On the router side I reflashed the firmware, and moved the ports I was
> > > using. I even reloaded my network drivers on the PC. I eventually got
> > > a new
> >
> > router
> >
> > > and all was well again. the funny thing was I could access the other
> > > domain on hte same host (used bluehost.com with several domains
> >
> > attached)
> >
> > > I do not remember if I could connect using the IP, may not have even
> >
> > tried.
> >
> > > On Sat, Aug 1, 2009 at 11:27 PM, Bryan O'Neal
> >
> > <boneal at cornerstonehome.com>wrote:
> > > > I am sure this is a stupid question, but have you flashed your
> > > > router?
> >
> > Or
> >
> > > > tried accessing on a different port? You may have a nat lock, though
> > > > I have never heard of one lasting through a power cycle on a Linksys,
> > > > I would not put it past it. Flashing (Or even doing a full factory
> > > > reset) should clear that.
> > > >
> > > > On Sat, Aug 1, 2009 at 8:39 PM, Jason Hayes <jason at jasonhayes.org>
> >
> > wrote:
> > > >> On Saturday 01 August 2009 04:45:02 pm Lisa Kachold wrote:
> > > >> > On 8/1/09, Jason Hayes <jason at jasonhayes.org> wrote:
> > > >> > > Not sure why this is happening.
> > > >> > >
> > > >> > > My Linksys WRT54GS router just suddenly (yesterday a.m.) started
> > > >>
> > > >> blocking
> > > >>
> > > >> > > a group of sites that I administer. I was working on one of the
> > > >> > > sites
> > > >>
> > > >> and
> > > >>
> > > >> > > it started getting slower and slower, then finally cut out.
> > > >> >
> > > >> > Are you possibly locked out at that hosting provider? Ask that
> > > >> > they "escalate your ticket" to the highest level you can to rule
> > > >> > out
> >
> > system
> >
> > > >> > firewall lockouts?
> > > >>
> > > >> Can't be that because if I bypass the router and plug my main
> > > >> computer directly into the Cox modem, I can access the sites without
> > > >> any problems. When
> > > >> I do that I can view the site and sign in as admin, add content,
> > > >> etc.
> > > >>
> > > >> > How are you accessing these sites? Port 22? VNC? http/https
> >
> > through
> >
> > > >> > auth processes?
> > > >>
> > > >> Nothing terribly complex -- Just http. These are simple drupal
> >
> > websites
> >
> > > >> that I
> > > >> have set up for clients. I was working on a new theme for one of the
> > > >> websites
> > > >> (www.bonnydann.com), when the router started acting up.
> > > >>
> > > >> Also noticed that when I'm running through the Linksys router, I can
> >
> > log
> >
> > > >> in to
> > > >> the ftp portion of the site for file uploads, etc. without any
> >
> > problems.
> >
> > > >> I'm
> > > >> also getting email from the accounts on that hosting package. So I
> >
> > know
> >
> > > >> it is
> > > >> just the web portion (http) that is acting up.
> > > >>
> > > >> > > I know the sites are working because if I plug straight into the
> > > >>
> > > >> modem, I
> > > >>
> > > >> > > can
> > > >> > > access them. (Also family in Canada can access them without any
> > > >>
> > > >> issues.)
> > > >>
> > > >> > > Also,
> > > >> > > the rest of the Internet is still out there - I can access
> > > >> > > pretty much any other site.
> > > >> >
> > > >> > So, you possibly can't get a new cox IP address but you can
> > > >> > request they verify you did not get into one of their traps?
> > > >> >
> > > >> > Let's look further:
> > > >> >
> > > >> > 1) Can you traceroute from the command line to the server? If not
> > > >> > where does it fail?
> > > >>
> > > >> From the router Administration --> Diagnostics page on the WRT54GS,
> > > >> I can ping
> > > >> to the site, no packets lost
> > > >>
> > > >> PING bonnydann.com ( 66.116.193.208 ) : 56 data bytes
> > > >> 64 bytes from 66.116.193.208: icmp_seq=0, ttl=52 times=70. ms
> > > >> 64 bytes from 66.116.193.208: icmp_seq=1, ttl=52 times=70. ms
> > > >> 64 bytes from 66.116.193.208: icmp_seq=2, ttl=52 times=70. ms
> > > >> 64 bytes from 66.116.193.208: icmp_seq=3, ttl=52 times=70. ms
> > > >> 64 bytes from 66.116.193.208: icmp_seq=4, ttl=52 times=80. ms
> > > >> --- bonnydann.com ping statistics ---
> > > >> packets transmitted = 5 , packets received = 5 packet loss = 0%
> > > >> round-trip min/avg/max = 70/72/80
> > > >>
> > > >> Can also traceroute to the site
> > > >>
> > > >> traceroute to bonnydann.com (66.116.193.208) ,30 hops max,40 byte
> >
> > packet
> >
> > > >> 1 10.35.128.1 (10.35.128.1) 10. 0 ms <10.0 ms <10.0 ms
> > > >> 2 68.2.1.253 (68.2.1.253) <10.0 ms <10.0 ms <10.0 ms
> > > >> 3 70.169.73.45 (70.169.73.45) 10. 0 ms 10. 0 ms <10.0 ms
> > > >> 4 68.1.0.165 (68.1.0.165) 10. 0 ms 10. 0 ms 10. 0 ms
> > > >> 5 4.69.133.34 (4.69.133.34) 10. 0 ms 10. 0 ms 10. 0 ms
> > > >> 6 4.69.133.38 (4.69.133.38) 20. 0 ms 30. 0 ms 20. 0 ms
> > > >> 7 4.69.144.138 (4.69.144.138) 20. 0 ms * 20. 0 ms
> > > >> 8 63.146.27.33 (63.146.27.33) 20. 0 ms 20. 0 ms 30. 0 ms
> > > >> 9 * * * Request timed out.
> > > >> 10 63.144.63.214 (63.144.63.214) 70. 0 ms 80. 0 ms 70. 0 ms
> > > >> 11 * * * Request timed out.
> > > >> 12 66.116.193.208 (66.116.193.208) 70. 0 ms 80. 0 ms 70. 0 ms
> > > >> Traceroute Complete.
> > > >>
> > > >> > 2) If you limit icmp, can you netcat trace to that port?
> > > >> > http://www.jfranken.de/homepages/johannes/vortraege/netcat.en.html
> > > >>
> > > >> Looking at his "querying webservers" section and using
> > > >>
> > > >> printf 'GET / HTTP/1.0\n\n' | nc -w 10 www.bonnydann.com 80
> > > >>
> > > >> I get
> > > >>
> > > >> www.bonnydann.com [66.116.193.208] 80 (www) : Connection timed out
> > > >>
> > > >> When I unplug the WRT54GS and plug straight into the modem, I get
> > > >>
> > > >> HTTP/1.1 503
> > > >> Date: Sun, 02 Aug 2009 03:15:40 GMT
> > > >> Server: Apache
> > > >> Cache-Control: store, no-cache, must-revalidate, post-check=0,
> > > >> pre-check=0 Expires: Sun, 19 Nov 1978 05:00:00 GMT
> > > >> X-Powered-By: PHP/4.4.9
> > > >> Set-Cookie:
> > > >> SESSd41d8cd98f00b204e9800998ecf8427e=bfe600d5c18c137cd565b33c1be80cd
> > > >>0; expires=Tuesday, 25-Aug-09 06:49:00 GMT; path=/
> > > >> Cache-Control: max-age=1209600
> > > >> Expires: Sun, 16 Aug 2009 03:15:40 GMT
> > > >> Last-Modified: Sun, 02 Aug 2009 03:15:40 GMT
> > > >> Connection: close
> > > >> Content-Type: text/html; charset=utf-8
> > > >>
> > > >> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
> > > >> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
> > > >> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
> > > >> dir="ltr">
> > > >> <head>
> > > >>
> > > >> and the rest of the main page, down to ...
> > > >>
> > > >> </div> <!-- /container -->
> > > >> </div>
> > > >> <!-- /layout -->
> > > >>
> > > >> </body>
> > > >> </html>
> > > >>
> > > >> > http://www.textfiles.com/hacking/INTERNET/netcat.txt
> > > >> >
> > > >> > 3) Or nmap the server?
> > > >> >
> > > >> > # nmap -P0 servername
> > > >>
> > > >> Through the WRT54GS
> > > >>
> > > >> Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 19:09 MST
> > > >> Interesting ports on 66.116.193.208:
> > > >> Not shown: 999 closed ports
> > > >> PORT STATE SERVICE
> > > >> 21/tcp open ftp
> > > >>
> > > >> Nmap done: 1 IP address (1 host up) scanned in 41.80 seconds
> > > >>
> > > >> Pulling the WRT54GS out of the loop,
> > > >>
> > > >> Starting Nmap 4.76 ( http://nmap.org ) at 2009-08-01 20:17 MST
> > > >> Interesting ports on 66.116.193.208:
> > > >> Not shown: 995 filtered ports
> > > >> PORT STATE SERVICE
> > > >> 20/tcp closed ftp-data
> > > >> 21/tcp open ftp
> > > >> 80/tcp open http
> > > >> 443/tcp open https
> > > >> 873/tcp closed rsync
> > > >>
> > > >> Nmap done: 1 IP address (1 host up) scanned in 22.29 seconds
> > > >>
> > > >> > > I've talked with my hosting company and they swear up and down
> >
> > that
> >
> > > >> > > nothing has changed and the sites are working as normal.
> > > >> >
> > > >> > Do you have cookies in place - clear your browser cookies? Try
> > > >> > another browser?
> > > >> >
> > > >> > Netcat, traceroute and nmap will bypass the browser, but just in
> > > >> > case...
> > > >>
> > > >> Have tried clearing the browser cache several times and have tried
> > > >> Kubuntu,
> > > >> Windows XP, and Windows Vista. For browsers, I've tried Firefox, IE
> > > >> 7 and 8,
> > > >> Konqueror, and Google Chrome.
> > > >>
> > > >> > Also did you change your dns server settings in your
> >
> > /etc/resolv.conf?
> >
> > > >> > Check to make sure your nslookup is the same.
> > > >> >
> > > >> > Did you possibly setup a hosts file hack to work on a mock up of
> > > >> > the website and forget it on your own box? Verify /etc/hosts
> > > >> > file...
> > > >>
> > > >> Have not touched either the /etc/resolve.conf.
> > > >>
> > > >> No special hosts files, or anything like that.
> > > >>
> > > >> So I'm completely at a loss to explain why only a certain group of
> > > >> websites
> > > >> would be shut down by this router (that has been reset to factory
> > > >> defaults and
> > > >> has just had the latest firmware installed).
> > > >>
> > > >> Jason Hayes
> > > >>
> > > >> > > While fighting with this, I've updated the firmware (to the
> > > >> > > latest version - V
> > > >> > > 7.2.06), reset all the settings to factory default, and re-set
> > > >> > > up
> >
> > my
> >
> > > >> home
> > > >>
> > > >> > > network.
> > > >> >
> > > >> > Are other machines on your network doing the same thing?
> > > >> > Have someone come over and fire up their laptop to rule out XSS
> > > >> > plugins and other hacks?
> > > >> >
> > > >> > > Everything is fine except for those few websites. Anyone ever
> > > >> > > seen anything like this?
> > > >> > > --
> > > >> > > Jason Hayes
> > > >>
> > > >> ---------------------------------------------------
> > > >> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > > >> To subscribe, unsubscribe, or to change your mail settings:
> > > >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > >
> > > > ---------------------------------------------------
> > > > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > > > To subscribe, unsubscribe, or to change your mail settings:
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list