| |
Webroot HijackedWebroot.com looks like it got hijacked. Also if you go to their direct program update page it states "Go Away!"
www.webroot.com |
|
psloss
Premium Member
join:2002-02-24 |
psloss
Premium Member
2005-May-6 8:33 pm
Ouch. Looks like a DNS poisoning thing; right now, nslookup (I'm San Diego Road Runner) is reporting the www A record as such: QUESTIONS:
www.webroot.com, type = A, class = IN
ANSWERS:
-> www.webroot.com
type = A, class = IN, dlen = 4
internet address = 204.251.15.207
ttl = 67051 (18 hours 37 mins 31 secs) But if I go through dnsreport.com, it's reporting: www.webroot.com. A 64.78.150.210 [TTL=60][US] Another unfortunate thing is if I try "webroot.com" in my default Firefox setup, it replaces with the hijacked www name... What's everyone else seeing? Philip Sloss |
|
| |
Spanner intheWorks to Finalnight8
Anon
2005-May-6 8:38 pm
to Finalnight8
Wonder if they forgot to renew the domain ? if it's not a hijack. Either way poor ol'e Webroot cos SpySpeeper is a FAB product. Anyway i'm sure they'l get it sorted ASAP. In the meantime you can peruse some of their other pages thru here - » research.spysweeper.com/Spanner intheWorks/SpannerITWks Spanner |
|
 dadkinsCan you do Blu?
MVM
join:2003-09-26
Hercules, CA |
to psloss
|
|
| |
to Spanner intheWorks
said by Spanner intheWorks:
Wonder if they forgot to renew the domain ? why wonder if you can run whois and see? » www.dnsstuff.com/tools/w ··· root.comwebroot.com expires in 2009 I see a directnic.com generic page now found message when I go to www.webroot.com which resolves to 64.78.150.210 for me. |
|
 norwegian
Premium Member
join:2005-02-15
Outback |
to Finalnight8
is it related to anywhere in their site specifically, like their online scanner.......??????????
and what time it went down |
|
 garys_2k
Premium Member
join:2004-05-07
Farmington, MI |
to dadkins
I get that, too. I looked at the source code and didn't see it, but I suspect it's CWS. |
|
psloss
Premium Member
join:2002-02-24 |
to boywaja
said by boywaja:I see a directnic.com generic page now found message when I go to www.webroot.com which resolves to 64.78.150.210 for me. That's interesting -- I get different pages and responses. Here's what I'm seeing with WGET; first to the assumed hijack server: F:\TEMP>wget --server-response --timestamping http://www.webroot.com/
--00:43:50-- http://www.webroot.com/
=> `index.html'
Resolving www.webroot.com... 204.251.15.207
Connecting to www.webroot.com[204.251.15.207]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Date: Sat, 07 May 2005 00:45:05 GMT
3 Server: Apache/2.0.51 (Fedora)
4 X-Powered-By: PHP/4.3.9
5 Connection: close
6 Content-Type: text/html; charset=UTF-8
Last-modified header missing -- time-stamps turned off.
--00:43:50-- http://www.webroot.com/
=> `index.html'
Connecting to www.webroot.com[204.251.15.207]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Date: Sat, 07 May 2005 00:45:05 GMT
3 Server: Apache/2.0.51 (Fedora)
4 X-Powered-By: PHP/4.3.9
5 Connection: close
6 Content-Type: text/html; charset=UTF-8
[ <=> ] 23,454 63.62K/s
00:43:51 (63.62 KB/s) - `index.html' saved [23454] Then to Webroot's IP as resolved elsewhere: F:\TEMP>wget --server-response --timestamping http://64.78.150.210/
--00:44:14-- http://64.78.150.210/
=> `index.html'
Connecting to 64.78.150.210:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Date: Sat, 07 May 2005 00:43:20 GMT
3 Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_ssl/2.8.22 OpenSSL/0.9.7e
4 X-Powered-By: PHP/4.3.10
5 Set-Cookie: WRSID=e899ee1ae9873069afdd22c4d5877b12; path=/
6 Expires: Thu, 19 Nov 1981 08:52:00 GMT
7 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
8 Pragma: no-cache
9 Keep-Alive: timeout=3, max=35
10 Connection: Keep-Alive
11 Content-Type: text/html
Last-modified header missing -- time-stamps turned off.
--00:44:14-- http://64.78.150.210/
=> `index.html'
Connecting to 64.78.150.210:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Date: Sat, 07 May 2005 00:43:21 GMT
3 Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_ssl/2.8.22 OpenSSL/0.9.7e
4 X-Powered-By: PHP/4.3.10
5 Expires: Thu, 19 Nov 1981 08:52:00 GMT
6 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
7 Pragma: no-cache
8 Connection: close
9 Content-Type: text/html
[ <=> ] 12,350 74.91K/s
00:44:14 (74.91 KB/s) - `index.html' saved [12350] Philip Sloss |
|
| psloss |
to Finalnight8
Looks like this might be a mistake rather than something sinister, but the TTL on the A record here is a little less than 18 hours, which is a lot of downtime... |
|
 DuckRyder
Premium Member
join:2005-02-04
Newnan, GA |
to Finalnight8
Whew, I thought it was just me.
The update screen from within spysweeper appears to work now. But any other link I get the same page posted by "like no other". |
|
 dp
MVM
join:2000-12-08
Greensburg, PA |
to Finalnight8
Apparently it is okay now. It just loaded fine for me. |
|
| |
to Finalnight8
DP ...I don't know what ur smokin but the Webroot site seems like its still down or being Hijacked. Directnic.com seems to re-direct the Spy Sweeper home page and I know I'm not hijackee. This is where it seems to re-direct you or at least its association... » www.directnic.com/I am still running 3.5 build 189, but I here there's 4.0 build 186 release...can anyone confirm???  |
|
|
dp
MVM
join:2000-12-08
Greensburg, PA |
dp
MVM
2005-May-7 1:39 pm
said by kurtman843:DP ...I don't know what ur smokin but the Webroot site seems like its still down or being Hijacked. » webroot.com |
|
 BuddelIf it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU |
Buddel to dp
Premium Member
2005-May-7 1:46 pm
to dp
said by dp:Apparently it is okay now. It just loaded fine for me. Confirmed. It also loaded fine for me.:) |
|
 fundamentalsThe Basics
Premium Member
join:2004-04-30
Moorpark, CA |
to Finalnight8
I'm still getting the directnic page. |
|
 hayc59Your a Daisy
Premium Member
join:2001-02-26 |
to Finalnight8
Well I must be smokin the same great stuff!! cause i cant to get it either  |
|
dp
MVM
join:2000-12-08
Greensburg, PA
1 edit |
to fundamentals
Do you get directnic here? » 64.78.150.210/Target Name: www.webroot.com IP: 64.78.150.210 2 27 ms [10.6.3.1] 3 28 ms at-2-0-0-1713.CORE-RTR2.PITT2.verizon-gni.net [130.81.8.193] 4 37 ms so-7-0-0-0.BB-RTR1.PHIL.verizon-gni.net [130.81.18.2] 5 28 ms so-1-0-0-0.PEER-RTR1.PHIL.verizon-gni.net [130.81.7.226] 6 27 ms dca-edge-03.inet.qwest.net [65.118.218.45] 7 28 ms dca-core-02.inet.qwest.net [205.171.9.61] 8 82 ms dia-core-01.inet.qwest.net [205.171.8.137] 9 91 ms dvr-edge-01.inet.qwest.net [205.171.10.10] 10 82 ms gige-05-00.brdr01.den05.viawest.net [65.121.56.78] 11 83 ms vi-009.aggm01.den05.viawest.net [64.78.230.215] 12 82 ms www.webroot.com [64.78.150.210] |
|
 antiseriousThe Future ain't what it used to be
Premium Member
join:2001-12-12
Scranton, PA |
to Finalnight8
... no problem getting to webroot at any of these links, for me at least ... » 64.78.150.210/» www.webroot.com/» research.spysweeper.com/... f w i w ... |
|
| |
to Finalnight8
This is in response to my support request to Webroot on this issue:
"Hi,
We are experiencing technical issues with our DNS server and are in the process of correcting the issue. The issue should be resolved within 48 hours. Please retry at a later time. We apologize for the inconvenience.
It is important to know a few things about this problem:
- Our site has NOT been hacked.
- Webroot is NOT distributing Spyware or hijacking people’s web browsers.
- This is NOT a permanent problem.
- This issue affected an estimated 60% of our users.
- As soon as Webroot was aware of the problem we took steps to resolve it.
- Customers will no longer experience the error once their ISPs DNS server refreshes.
Ticket Information:
Ticket #: 693-985364
Date Created: 5/7/2005 10:23 AM MDT " |
|
psloss
Premium Member
join:2002-02-24 |
to Finalnight8
I sent an e-mail into the Internet Storm Center last night and they pointed out that DirectNIC is "authoritative" for webroot.com, so even though it wasn't intentional, it also wasn't malicious.
FYI, I'm on Earthlink dialup right now and the TTL for the WWW A record has almost expired; it was down to about 10 minutes. So hopefully our ISP DNS will be updated soon...
Philip Sloss |
|
| |
to Finalnight8
So what about the GO AWAY!!!!!!! Page, do you think this is
" DirectNIC is "authoritative" for webroot.com" also? |
|
 VerdeDudeHere Kitty Kitty
Premium Member
join:2003-05-01
Northern Az. |
Why? |
Automatic DNS message? |
|
 richk_1957If ..Then..Else
Premium Member
join:2001-04-11
Minas Tirith |
to Finalnight8
It's back up. |
|
hayc59Your a Daisy
Premium Member
join:2001-02-26 |
to Finalnight8
yes and working here  |
|
| |
to kurtman843
said by kurtman843:DP ...I don't know what ur smokin but the Webroot site seems like its still down or being Hijacked. Directnic.com seems to re-direct the Spy Sweeper home page and I know I'm not hijackee. This is where it seems to re-direct you or at least its association... » www.directnic.com/I am still running 3.5 build 189, but I here there's 4.0 build 186 release...can anyone confirm??? Your Current Version: Version 3.5 Latest Release: Version 3.5 Congratulations! You've got the latest version of Spy Sweeper. Please visit us periodically to check for new product releases. |
|
 kikidoo
Premium Member
join:2001-07-09
Ventnor City, NJ |
to kurtman843
Yesterday I clicked on the "update program" button and it gave me the option to beta test version 4.0.
Program Version 4.0.0 (Build 312) Using Spyware Definitions 483
So far it runs great. |
|
| |
to Finalnight8
I am still getting URL / errors when trying to check for the latest spy sweep update. I am running 3.5, build 189 as the most current. The home site seems to work now....but checking for a program update seem lite up errors. Anyone else???
"the requested URL /keycodes/checkforupdate_new2.asp was not found on this server." |
|
| |
siliconman01
Anon
2005-May-8 6:47 am
KikiDoo,
Can you post the download link for Spy Sweeper Beta 4.0.0.312?
I'm on build 303 and cannot find any mechanism on the Webroot site or through SS Beta 4.0 to track down the much newer build. |
|
 gracie7Geek Goddess
Premium Member
join:2003-07-15
confusion |
to DuckRyder
said by DuckRyder:The update screen from within spysweeper appears to work now. i'm a little concerned about using the updates---is it possible they are not good either? webroot's insistence that they weren't hijacked should be reassuring, but the presence of the "go away" and other iffy things makes me nervous about recommending updating to friends using the program... |
|
| |
to Finalnight8
First webroot has unspecified problems with DNS, now google....
Hmm.... Is there something they are not telling us... |
|
