Announcement

Collapse
No announcement yet.

IE8 erro page hijack, on internal domain clients

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IE8 erro page hijack, on internal domain clients

    Server 2008-hosted corporate domain, some remote connections thru dedicated IPSec site-to-site tunnels, some through client VPN-to-concentrator tunnels. Really odd behavior started recently: the home page for all domain members is an internally-hosted Sharepoint 2008 or newer page, but the URL is not formed for open Internet travel. It's of the pattern "http://<<server-name>/" with no "www" or ".com" bits added. Internal DNS resolves, external DNS has no clue. So if you're not connected to the local domain, you should get an error page to the effect of "...could not connect due to no dot/domain info". But said error page looks like a custom html doc, and bears no resemblance at all to a typical IE error page.

    Recently, the error page has changed to a survey, soliciting info about how you feel about the current King Abdullah of Saudi Arabia! You see his picture, then 3 links below it: Like him, don't like him, don't care. Anyone who's seen this error page show up because they've opened IE and the tunnel is not in effect for whatever reason, have started getting nervous about malware, myself included.

    I used to work for this company, and still retain admin access into the system under a convoluted contractual situation. Unfortunately, I know virtually nil about html coding, etc., so don't know where to look to see if something's been replaced and is now pushing out to clients. The internal admins have decided that this exhibits a problem on the open internet, but it can only be duplicated on PCs that are domain members. Trying to access the correct page from a home PC doesn't give anything close to the same behavior.

    What I'm after is some idea where to look on a client PC for the error pages that IE uses to display info, so I can see about identifying the corrupted doc. All reasonable suggestions appreciated.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

  • #2
    Re: IE8 erro page hijack, on internal domain clients

    Is the anti virus up to date? Is dns still correct configured?
    gerth

    MCITP sa, ea & va, [email protected]

    Comment


    • #3
      Re: IE8 error page hijack, on internal domain clients

      Yes, AV is up to date and completely scans C:\ daily. DNS while using VPN comes form the domain; DNS when not using VPN comes from local commercial ISP source. Same faulty behavior exists with users at multiple distant sites, with different ISPs, so different DNS servers.

      Only commonality we've found so far is their past attachment at some point with the single corporate domain. But the error only manifests when opening to the IE home page, when the domain isn't available (no VPN). So it appears to be some setting associated with IE error page posting, for a specific error condition. Since it only manifests on the clients when no owning domain is reachable, it must be on the clients, but where to look in Windows/IE?
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        Re: IE8 erro page hijack, on internal domain clients

        Bear in mind that the latest browsers have a habit of autocompleting the address bar. So if you don't specifiy the tld on the domain it may be adding something to the end.

        So, if you put servername.com into the Internet, does it come up with your dicky page? You may have the unfortunate circumstance where you've picked the server name that has the same domain name as a dicky site.

        The only way round that would be to put in the local FQDN such as http://servername.local which would not be autocompleted to .com

        Comment


        • #5
          Re: IE8 erro page hijack, on internal domain clients

          No autocompletion going on. The internal home page URL is being passed exactly as-is in the Internet Options. And I've tried the bit about adding '.com' to the server name to see what happens, and I get a bog-standard IE error page.

          Any new ideas? I canNOT duplicate this behavior from my home machine, or any other PC which hasn't been in contact with the corporate domain. The more I read about how IE handles errors (what little I've been able to find), the more it looks like there's malware been introduced into the domain, and we just have to figure out how to find it.
          *RicklesP*
          MSCA (2003/XP), Security+, CCNA

          ** Remember: credit where credit is due, and reputation points as appropriate **

          Comment


          • #6
            Re: IE8 erro page hijack, on internal domain clients

            Things to check. 1) and 2) are worth checking because it sounds quite insidious if it is malware. They won't be the whole cause if you are experiencing the issue on PCs that were connect but aren't currently - for that I would go for the host file.

            1) DNS - make sure there are no rogue entries in there and make sure that your DNS forwarder is pointing at what you expect it.

            2) Router - doesn't happen often but the router could be compromised, maybe pointing to rogue DNS servers or something.

            3) Host files on the PCs (%SystemRoot%\system32\drivers\etc\) and make sure there's no baddies in there.

            Have you any log files from the antivirus? It may be that they cleaned up something in the past but didn't remove some settings. If you get any information like that it might lead to more information on what settings have been altered.

            Other ways to track things down.

            When a PC is getting this dodgy page coming up, do an nslookup on servername and see what is being returned. At least you can know where the offending site is hosted.

            Finally I would try running a sniffer such as wireshark. That will let you see exactly what is coming from where if you know how to read it.

            Comment


            • #7
              Re: IE8 erro page hijack, on internal domain clients

              The circuit we're using is a fat commercial syncronous internet pipe, with a FortiGate firewall device for DHCP and control, and Cisco 3750 switches for distribution. There are no servers on this circuit, since it's shared by 5 different companies who are contractual partners on a project for the UK Ministry of Defence. Our firewall blocks anonymous inbound traffic, but lets everything out, as requested by all contractual partners. They accept the responsibility for the integrity of their clients, enforced via Group Policy from their respective domains through VPN tunnels, from each client PC.

              DNS is served by the ISP (British Telecom), our firewall merely forwards requests to them. And it's only 1 of the company employee sets at our site who see this page. Other members of the same company, at other sites, also see this same behavior, through their ISPs (names unknown.) Our FortiGate firewall has only 2 people with access, me and my colleague. Access is logged, and we can account for all of them between us.

              Almost the first thing I checked was the hosts file. Also looked into LMHosts and NetBIOS settings. No joy there, which is why I started down the road to IE error page processing.

              Antivirus shows clean, scans have no quarantines or other such. I was hoping to avoid having to use Wireshark to ident where this traffic is coming from, esp. since all indications are that it's already on the client to begin with, not being fed in from a public Internet site. Oh, well, to the salt mine I go, I guess. It might be a day or 2, but I'll report back.
              *RicklesP*
              MSCA (2003/XP), Security+, CCNA

              ** Remember: credit where credit is due, and reputation points as appropriate **

              Comment

              Working...
              X