paypal down!
Kevin Day
toasty at dragondata.com
Wed Nov 16 05:15:39 UTC 2005
On Nov 15, 2005, at 10:22 PM, Hannigan, Martin wrote:
>
> No chance. Do you have the attributions wrong here? Even your own
> website
> says that 404's are 70% burp-factor - which I would tend to agree with
> for the most part. Not enough httpd spurned, reloads, bad pages, etc.
>
> http://www.404lab.com/404/yikes.asp
>
> And oddly enough, no mention of the possibility of malware. Time to
> update. :-)
>
Sorry, I guess I wasn't quite clear. No, I'm not suggesting that you
specifically have a trojan on your system(I know from your reputation
that's not happening :) ), or that I believed that malware was
definitively the cause for the original poster's problem either.
The point I was trying to make was malware does cause these exact
problems, and those attempting to support end users reporting these
problems need to keep trojans and other spyware in mind when
researching "{big_important_site} is down!!!' complaints, when it
appears to be up from everywhere else you look.
One really strange example happened about 6 months ago. One of our
"adult oriented" customers started getting emails from people saying
that their adult site was showing up to lots of users when they tried
visiting a certain list of sites (PayPal, eBay, Google, CNN, Hotmail,
etc). These users could still access small sites fine, but when they
entered any of the larger sites in their browser, they got a rather
graphic page from porn site instead. We took down the page that the
viewers were being redirected to and put a "Seeing this message
instead of the site you expected? Email us for help". After talking
to a few dozen people who wrote in, we finally figured it out. It
turns out that the common thing between all the people sending
complaints about this was that they were infected with an MSIE
"Browser Helper Object" that was redirecting traffic to any of these
sites to a HTTP proxy in Russia. This proxy was taking any request
and redirecting them to my client's URL. I'm guessing they were
sniffing for private info or inserting pops in the HTML or something,
and decided they were done. Why they didn't just kill the proxy
server instead of showing unsuspecting users "adult materials" isn't
really clear, unless it was meant to be some juvenile "fun".
I'd be curious to see if anyone on the ISP side of things has made a
list of recent/common IP addresses and hostnames that malware
attempts to connect to or resolve, and looked for accesses in name
server logs and netflow records to get an idea of what percentage of
end-users end up hitting them. I'm willing to bet it's disturbingly
high.
-- Kevin
(And I can't take credit for 404lab, not my site at all) :)
More information about the NANOG
mailing list