Be advised > FTP Hijack

I

Ice Czar

Guest
the other day I tried to download a diagram from Tyan Computer
the link happened to be to a PDF via FTP

well, I got redirected to an ad
so I emailed the Tyan webmaster that he had a strange link
he got right back to me saying it was fine

WTF?
next day I went to another FTP and same ad...hmmmm

run Adaware, SpybotSearch&Destroy, HijackThis, TDS-3, NOD32, and Nessus
still get the redirect

a little researching and found this

FTP Hijack (PDF) @ SANS.org

which pointed me to a poisoned DNS cache as the possible problem, so I go to Command Prompt

I type ipconfig/flushdns
(Purges the DNS resolver cache)

wont let me do it

I type ipconfig/displaydns
(Displays the contents of the DNS resolver cache}

wount show it

I type ipconfig/renew
(Renews the IP address for the specified adapter)

it fails

I type ipconfig/registerdns
(Refreshes all DHCP leases and re-register DNS names)

says any issues will be reported in the event viewer in 15 minutes

I go back to Tyan and successfully download the PDF :D
 
The moral is if you have this problem, here is a solution.
Thanks Ice Czar! :)
 
Im not sure it is so much a solution as
my flailing around in the dark till I finally hit something :p

Im not sure if it was my cache that was compomised or a DNS server that was redirected (probably the former)

but no warnings showed up in the event viewer after ipconfig/registerdns
and after a reboot, I can still access ftp, so it appears nothing is reinstalling locally

the Ad\Redirect for the record is to www>ftp.com (disabled link)
NetManage Host Access and Integration Services
makers of Rumba and OnWeb whatever the hell those are

and bears no resemblance to my Tyan K8W jumper chart's url
ftp://ftp.tyan.com/quickref/q_s2885_100.pdf

this didnt effect http at all, just every ftp I tried to access
 
You must log in or register to reply here.
Back
Top