Hi. I’m on opensuse 12.3 64-bit, KDE. I have a very odd behavior-thing going on. In particular, when I try to go to my bank’s web site in firefox, my browser ends up pointing at a website that I’ve got running locally (using apache2). Further, when I ping the bank’s site, I get pings back from. 127.0.0.1. It’s just this one site (the bank’s) that I see this behavior with. If I ping it using su I also get pings back from 127.0.0.1. I looked in /etc/hosts, but it looks OK to me:
#
# hosts This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#
127.0.0.1 localhost
# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback
fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
So, where else should I be looking? As I said, it’s just this one site… Thanks!
Please when you say: “when I ping the banksite …” we always want to see the computerfacts that let you make this conclusion. Thenn we can see what you did and maybe draw our own conclusions. Because when yyou ask for helpo, you in fact ask for the conclusion of others.
Can you also show a DNS lookup of your bank:
nslookup your.bank.host.domain
Because that seems to me the first test to test DNS.
Duh! It’s always nice to know that I’m still able to embarrass myself in front of a bunch of people. I was typing the incorrect url (you saw that coming, right?) Here is the correct url:
And yes, it works in the browser. I guess the only really confusing thing is why is an incorrect url pointing back to my localhost, but I guess that’s a name server thing?
henk@boven:~> nslookup
> set debug
> www.barclaycardsus.com
Server: 194.109.6.66
Address: 194.109.6.66#53
------------
QUESTIONS:
www.barclaycardsus.com, type = A, class = IN
ANSWERS:
-> www.barclaycardsus.com
internet address = 127.0.0.1
ttl = 1800
AUTHORITY RECORDS:
ADDITIONAL RECORDS:
------------
Non-authoritative answer:
Name: www.barclaycardsus.com
Address: 127.0.0.1
My conclusion is that this name realy resolves to 127.0.0.1 because it is as such in the barclaycardsus.com DNS server. But I have no idea why one would do so. I experimented a bit with deviations at the end of barclaycardsus. barclaycard, barclaycards and even barclaycardsu do return usefull addresses. I guess they used a sort of gapstopper for thi variation.
On 07/08/2013 02:06 PM, hcvv wrote:
>
> Code:
> --------------------
> henk@boven:~> nslookup
> > set debug
> > www.barclaycardsus.com
> Server: 194.109.6.66
> Address: 194.109.6.66#53
>
> ------------
> QUESTIONS:
> www.barclaycardsus.com, type = A, class = IN
> ANSWERS:
> → www.barclaycardsus.com
> internet address = 127.0.0.1
> ttl = 1800
> AUTHORITY RECORDS:
> ADDITIONAL RECORDS:
> ------------
> Non-authoritative answer:
> Name: www.barclaycardsus.com
> Address: 127.0.0.1
>
> --------------------
>
> My conclusion is that this name realy resolves to 127.0.0.1 because it
> is as such in the barclaycardsus.com DNS server. But I have no idea why
> one would do so. I experimented a bit with deviations at the end of
> barclaycardsus. barclaycard, barclaycards and even barclaycardsu do
> return usefull addresses. I guess they used a sort of gapstopper for thi
> variation.
If you try “whois” on the name with the typo, you get:
Registrant:
Domain Administrator
Barclays Bank Delaware
125 S. West St.
Wilmington DE 19801
US domainregistration@barclaycardus.com +1.3022558299 Fax:
The two domain names have nothing in common. The OP is just lucky that that typo
did not lead to a man-in-the-middle forwarding page that captured your account
name and password. One cannot be too careful when entering the domain name of a
financial institution.
On 07/08/2013 09:36 PM, Larry Finger wrote:
> The OP is just lucky that that typo did not lead to a
> man-in-the-middle forwarding page that captured your account name and
> password. One cannot be too careful when entering the domain name of
> a financial institution.
my guess is some thief bought the domain name “barclaycardsus”
exactly for the purpose of harvesting card numbers and
credentials…and, when Barclays learned of the scam they had the DNS
munged, somehow…
to the OP ‘JJMT’
unless you are 100% certain that you never typed your password/etc
into that “barclaycardsus” domain, i’d suggest you consider your
Barclays account as possibly compromised…and ask Barclays how they
would suggest you proceed (personally, i would immediately change my
account password and request Barclays to cancel the card and issue a
new one.)
[QUOTE=djh-novell;2570471
… that this is not a technical problem but a legal one.[/QUOTE]
I doubt the verdict was to configure 127.0.0.1 for the hosts in that domain rotfl!
On 07/09/2013 04:26 PM, hcvv wrote:
> I doubt the verdict was to configure 127.0.0.1 for the hosts in that
>domain rotfl!
no i agree, but it might be the easiest injunction they could put in
place to prevent the interloper from profiting through ‘stealing
away’ customers who typo the “Confusingly Similar” domain…
