Hi. I’m on opensuse 12.3 64-bit, KDE. I have a very odd behavior-thing going on. In particular, when I try to go to my bank’s web site in firefox, my browser ends up pointing at a website that I’ve got running locally (using apache2). Further, when I ping the bank’s site, I get pings back from. 127.0.0.1. It’s just this one site (the bank’s) that I see this behavior with. If I ping it using su I also get pings back from 127.0.0.1. I looked in /etc/hosts, but it looks OK to me:
# hosts This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# IP-Address Full-Qualified-Hostname Short-Hostname
# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback
So, where else should I be looking? As I said, it’s just this one site… Thanks!
Please when you say: “when I ping the banksite …” we always want to see the computerfacts that let you make this conclusion. Thenn we can see what you did and maybe draw our own conclusions. Because when yyou ask for helpo, you in fact ask for the conclusion of others.
Can you also show a DNS lookup of your bank:
Because that seems to me the first test to test DNS.
> set debug
www.barclaycardsus.com, type = A, class = IN
internet address = 127.0.0.1
ttl = 1800
My conclusion is that this name realy resolves to 127.0.0.1 because it is as such in the barclaycardsus.com DNS server. But I have no idea why one would do so. I experimented a bit with deviations at the end of barclaycardsus. barclaycard, barclaycards and even barclaycardsu do return usefull addresses. I guess they used a sort of gapstopper for thi variation.
On 07/08/2013 02:06 PM, hcvv wrote:
> henk@boven:~> nslookup
> > set debug
> > www.barclaycardsus.com
> Server: 22.214.171.124
> Address: 126.96.36.199#53
> www.barclaycardsus.com, type = A, class = IN
> → www.barclaycardsus.com
> internet address = 127.0.0.1
> ttl = 1800
> AUTHORITY RECORDS:
> ADDITIONAL RECORDS:
> Non-authoritative answer:
> Name: www.barclaycardsus.com
> Address: 127.0.0.1
> My conclusion is that this name realy resolves to 127.0.0.1 because it
> is as such in the barclaycardsus.com DNS server. But I have no idea why
> one would do so. I experimented a bit with deviations at the end of
> barclaycardsus. barclaycard, barclaycards and even barclaycardsu do
> return usefull addresses. I guess they used a sort of gapstopper for thi
If you try “whois” on the name with the typo, you get:
The two domain names have nothing in common. The OP is just lucky that that typo
did not lead to a man-in-the-middle forwarding page that captured your account
name and password. One cannot be too careful when entering the domain name of a
On 07/08/2013 09:36 PM, Larry Finger wrote:
> The OP is just lucky that that typo did not lead to a
> man-in-the-middle forwarding page that captured your account name and
> password. One cannot be too careful when entering the domain name of
> a financial institution.
my guess is some thief bought the domain name “barclaycardsus”
exactly for the purpose of harvesting card numbers and
credentials…and, when Barclays learned of the scam they had the DNS
to the OP ‘JJMT’
unless you are 100% certain that you never typed your password/etc
into that “barclaycardsus” domain, i’d suggest you consider your
Barclays account as possibly compromised…and ask Barclays how they
would suggest you proceed (personally, i would immediately change my
account password and request Barclays to cancel the card and issue a