[Intrusions] Intrusions Digest, Vol 15, Issue 17 (Wrong IP Address?)

[James C Slora Jr]

RedBeansRedToo wrote Monday, June 27, 2005 7:47 PM

> Ok I try to understand this but it is all greek to me...can someone tell
me what is wrong when my programs try to go to an ip address that is NOT the
address of the place I am going? For instance the ip is xxxxx.ods.org but
the place it wants to go to is 24.197.160.17 which is a charter.com address
in GA? I need some help! Thank you Sheva 

Several things could cause this:

1. The confusing information may not be incorrect at all. The site you are
trying to visit could have load balancing, redirection, failover, or some
other intentional measure that gives you addresses that don't match your
expectations. Ods.org may use servers on several different netblocks, and
you may not see the same address every time - even for the same site.
Ods.org sites can be hosted on machines that reside on non-ods.org
netblocks.

2. Your computer could be giving you bad information. An altered Hosts file
or a Layered Services Provider (LSP) adware trojan among other things could
cause this. Test by resolving names from a clean computer on the same
network.

3. Your DNS server could be giving you bad or outdated information. Your DNS
server responses may be poisoned. For more info on this problem and how to
fix it, see http://isc.sans.org/diary.php?date=2005-04-07 . Test by using
the command-line tool nslookup, and compare results from several different
DNS servers if possible.

There are always other possibilities, but I think these cover the most
common scenarios.