Closing searchportal.information.com Subject
Writing my first post on this issue I couldn’t expect the reaction it will produce, even less I expected the kind of reaction that followed. If this thread I quietly watched without intervening happened to be openly hostile than this comment I got in my own blog is simply offensive, so I feel I need to reiterate my points and clarify my position to bring the whole issue to some logical closure (I really hate unresolved issues like this hanging about).
I’ve done some research over the past few days and now ready to provide a proper account so, forgive me when I’ll be repeating some points already mentioned but this is something that is needed to maintain the logic of my reply.
Here are facts:
April 7th, 2007 - Myself and some of my friends report strange redirects from a number of websites to searchportal.information.com IP 66.151.179.147
this page reports the same DNS issues with livejournal.com (NS1.SIXAPART.COM NS2.SIXAPART.COM) happening on a massive scale
April 8th, 2007 - Dreamhost reports DNS DOS Attack which incapacitates Dreamhost DNS servers and subsequently affected DNS servers resolve all domains for which Dreamhost is authority to 66.151.179.147
April 9th, 2007 - The issue is observed sporadically for websites having their DNS records either privately (EVERETT.ORG, ADVERDNS.NET, PROZ.COM etc) or at large hosting providers (1AND1.COM, EASYDNS.COM etc) and these are just ones I myself have seen affected (also reported here and on April 13 here).
Here is my interpretation:
From what I’ve seen myself and what I gathered on the net I insist that we are dealing with DNS poisoning also known as DNS Hijacking. How do I know this? How do I know it’s not a virus? Well, it isn’t cause I ain’t stupid and check my machines for viruses regularly, but mainly because changing DNS servers in browser or router settings to unaffected ones resolved the issue entirely.
Why do I think Dreamhost DOS issues and DNS poisoning are related? Note: I never said or implied that Dreamhost DNS was hacked or hijacked and hence was the cause of the problem - if some have read my postings this way it’s their problem, not mine. Not only because these two things hapened at the same time, but because it all fits too well in a standard DNS poisoning scenario. To inject poisoned DNS data you need to disable authority DNS servers for domains you are trying to rewrite, otherwise your poisoned data will not be accepted by DNS servers you are trying to inject poisoned data into. Of course it is not a hard proof and there is a chance of coincidence, but do you believe in coincidences?
Judging from the fact that most responses to this attack are coming from Russia and from what I understood from the translation of the page quoted above the point of injection was a DNS of one of Russian ISPs from where it spread to some European DNS servers. Fortunately it was not a large scale episervic but large enough to cause a serious disruption.
Conserning the security issue: I am tired of repeating the same thing - if you landed on searchportal.information.com page instead of a site you have an account at - change password for this site be it your own or otherwise - if you are dumb enough not to you have only yourself to blame as you’ve been forewarned so many times. Redirect script to searchportal.information.com reads your cookies! Note: the Russian livejournal post I referenced above provides HTTP headers transcript wherre you can read yourself how your browser happily provides cookies to this redirect script. The same should be done with your email and FTP passwords if you accessed affected sites with your email or FTP clients.
As this thread, this thread and many others suggest searchportal.information.com affiliates are involved in browser hijacking using various techniques since at leat 2005. Particlularly interesting is this article which I am yet to analyse properly but this one hints on possible AdSense click fraud.
If understanding the issue itself was not too difficult for me, the hostile, ill-mannered and frankly pointless response to my posts still puzzles me a lot. However, concerning the amount of money involved in these operations it shouldn’t be surprising that threre are some who wouldn’t like too much attention to be drawn to the activities of certain searchportal.information.com affiliates.
That’s all I know and all I think about it. DIXI
tags: dns, dos, adsense, alert, attack, browser, click fraud, cookies, hack, hard proof, headers, hijack, injection, password, poisoning, searchportal, security
Lzzr,
I’m new to this backend world of Web under the hood type of tech talk. But I found your posting quite interesting.
Just wanted to say thanks for the info. If you like to point a newbie in the right direction to start understanding this stuff, then please point me to the promise land.
I do content filtering, and was trying to sniff out the kids and proxies. Could you suggest how to sniff out proxies to a newbie.
Comment by Phil Malone — May 2, 2007 @ 7:13 am
Hi Phil,
Thanks, first of all
I’ll try to help as much as I can but I don’t think I understand the question…. What exactly you are trying to do? Particularly what do you mean by sniffing out proxies?
I am intrigued
Comment by LZZR — May 4, 2007 @ 6:54 am
Thanks Lzzr for replying…
I do content filtering for a school district. Our kids have figured out what a proxy does and they use proxies to get around our filter.
I was wanting to know more about learning internet tools, tricks, or just to pick your brain as to where I should start in becoming a guru, such as yourself LZZR.
I understand just enough to be dangerous… LOL I’ve been working with internet content filtering for about 3 years. And trust me, the kids know more than I can react to. I like to get a step ahead of them.
Right now I (hope) that I gotten about 90% of the known proxies blocked. We do use a service which updated every 24 hours, but it doesn’t catch everything.
What would you do to find out more about determining proxies sites that are being used a our network?
Comment by Phil Malone — May 8, 2007 @ 11:45 am
LZZR. Just wondering… Would there be any noticable sysmtoms with searchportal.information.com>?
I see serveral of our workstations directed to that site.
Comment by Phil Malone — May 10, 2007 @ 7:26 am
Hi Phil,
free proxy search on Google as I believe you are a way past this stage. The task is twofold a) where do we get fresh proxy lists b) how do we check that they are valid so that we can block them. So in many ways you need to do exactly what your kids are doing while findng those proxies and block them instead. So the first suggestion would be to spy on suspected troublemakes trying to get the idea of what their sources are. Social engineesring in other words. Another good source of proxies would be to set up a popular blog and wait for comment spam - this will give you a list of the most malicious proxies updated in nearly real-time. 
To help you I would really need to be there and see how your network is configured. It’s a bit difficult to tell anything without knowing even the kind of proxy filtering software/hardware you use.
One thing I might help you with - it’s sniffing out proxies. BTW you are right, kids are a kind of natural disaster, they are smart and quick and difficult to catch especially where it conserns computers. I know what you are talking about since I’ve got my own little weasel
So, if I got it right the question is how to get proxies ahead of them before they start using them.
In other words we are just looking for fresh updated lists of proxies, aren’t we? It doesn’t make sense to point you to the obvious
Now, if you want to digg a bit deeper I’d point you to this resource of all software written to process proxies Charon is by far the most functional, besides you’ll find a bunch of other neat utilities there that are also quite revealing.
As for your last question:
I am not quite sure what the situation is… Do you actually have several workstations on your network displaying searchportal.information.com instead of legitimate sites? If so it seems more like a real trouble, not a symptom!
It could be either because poisoned DNS data somehow got into DNS cache on your system and you can either force update DNS cache or wait till it goes away on its own. Alternatively it can be a Trojan and you know what to do in this case.
Sorry for not being able to offer more help but this is all I can do considering the amount of data I have…
Comment by LZZR — May 11, 2007 @ 8:57 am
For those thinking it’s an innocent fun - think twice!
I suggest you check this thread - where user FrankElley in his post of Mar 26 2007 reports something he calls a Gmail Hijack. Looking at his description I can only conclude that we are dealing with the same DNS HiJack to searchportal.information.com as described above. Only this time the IP of Gmail server gets overwritten on affected DNS servers.
In my worst nightmares I couldn’t imagine it’ll go this far! Even the almighty Google isn’t immune.
I repeat: if you’ve been redirected to searchportal.information.com instead your Gmail - RESET Your Gmail PASSWORD
Comment by LZZR — May 27, 2007 @ 5:01 am
I just tried to get a web site for Hancock and Moore Furniture (handcockandmoore.com) and got this “searchportal.information.com”.
I am on a new (march 07) intel Mac (iMac 20). It is home use and stand alone. I am a long time user of computer software, but have only a little knowledge of computers. I don’t know what a portal is.
Thanks to you, Lzzr, I know that this is something to avoid, change passwords and so forth. Is this a threat to my computer? I am naked with this darn Apple; no anti-spyware or firewall or anything else that isn’t built into the machine. Do Ineed to scan my computer for viruses etc.?
Comment by Evanst3 — September 20, 2007 @ 2:34 pm
LZZR-
I also have been getting redirected to this searchportal.information.com thing and it is making me crazy. Here is something interesting:
We use a d-link brand router in our house. When the computers in the house are connected to the router wirelessly they (all) get occasionally redirected. When connected directly to the net via ethernet cable they will never be redirected. Does this not mean the infection is in the router and not the computers?
You can tell if you could be redirected by directly typing the address of a non-existent website. www.hnaadle.com works every time.
Comment by Bryce — March 2, 2008 @ 12:58 am
Bryce,
Most likely it isn’t a virus, it’s DNS pisoning of some sort. In your case I assume the difference between wired and wireless might be simply because of different DNS settings for those connections on your PCs i.e. there may be that your wireless connection properties have DNS addresses that occasionally get poisoned. If wired connection is unaffected and this is the case, try changing DNS servers for wireless connection to the same ones as your wired connection has.
And another thought - if they are using the same pair of DNS it might be that for some reason wireless connection has to use the secondary DNS more often and this gets poisoned unlike the primary one.
Comment by LZZR — March 2, 2008 @ 10:31 am
So what do I do if this is happening on my phone? I’m getting redirected to searchportal.information.com whenever I try and go to teh Baltimore Sun’s mobile website. What do I do on a Windows Mobile 6 phone for DNS poisoning?
Comment by William — March 21, 2008 @ 7:44 pm
searchportal.information.com (and sptc.information.com)is a typo-squatting, ad serving crap outfit.
I have found that several sites (domains) are OWNED by them. All of these sites list the name of the site and under that the phrase, “What you need, when you need it” with a box shaped logo. A large number of sites that are mistyped are owned by them and perhaps people are looking for sites whose registrations expired and an outsider (searchportal.information.com) purchased the domain. See the previously mentioned handcockandmoore.com, or millanco.com, or nhlshop.ca, dineychannel.com (note the missing “s”).
Comment by T — May 2, 2008 @ 2:48 pm