- Dec 17, 2001
- 3,566
- 3
- 81
(Warning - long, gory details)
I've got an odd problem, but I've been out of the scene for a few months, so I'm wondering if the following scenario rings any bells with you regulars here. My guess is virus/malware, but I'm not sure and the admins of these machines need specific info if I want them to help me. Maybe the problem is really on my end or with my ISP...
Problem: Some machines (Windows), at separate physical sites, cannot connect to any of several websites hosted on my server. At my wife's workplace, none of the 7 machines can connect. At my workplace, some machines can and some cannot - one machine might work while another right next to it (and thus on the same switch) doesn't.
Background: Both my primary DNS and web server are on the same server. The problem machines worked fine for many months, up until a few weeks ago. That time corresponds roughly with a stretch of a few days where my network was down due to hardware failure of the DSL modem. There was a problem at a third site for a few days just afterward where the user was getting bumped to some crappy web search advertising site, but that cleared up. The machines at my workplace are on a domain with an SMS server, but the quality of that server's administration is very much unknown. The machines at my wife's workplace are basically unmaintained. At my workplace, other sites appear to work fine, though one machine has similar problems connecting to my employer's webmail.
Variations on the scenario: In both cases, the problem is not a DNS problem - the site is found and nslookup works, but the web connection stalls. I am able to use SSH from problem machines at my workplace, so routing does not appear to be the problem. My wife doesn't do SSH, so I don't know about that site. However, she can ping our server successfully. My workplace blocks outgoing pings (brilliant!), so I can't check from there. But again, doesn't look like a routing issue. I have installed Mozilla at my workplace - that has the same problems. So it doesn't look like anything specific to IE either.
More Details: I did some packet captures (on the external interface of my router) this afternoon while giving my wife some instructions over the phone. Some things look odd to me, but I don't know big networks very well, so maybe I'm missing something about proxies or routing. Saw the following...
Test 1: Access webmail (SSL site) - I see the DNS query from an ameritech.net DNS node complete successfully. Then I see the SSL transaction start from a dynamic IP in broadviewnet.net. I don't know the gory details of SSL, but it looks like the machines complete a key exchange, transfer a bit of data, and then start over. She saw nothing at her end.
Test 2: Access non-SSL site - I see the successful DNS query from an ameritech.net DNS node, and then nothing. No HTTP transaction crosses my network boundary after the DNS is done.
Test 3: Access non-SSL site via IP address - zero, zilch, nada. No traffic at all.
Test 4: Ping the server - I see the successful DNS query. Then I see the ping requests/replies from/to a DSL IP in ameritech.net (which sounds right - her office uses a DSL line).
I have not yet done a packet capture from my workplace, but I'll ssh in and do a tcpdump tomorrow.
Now, to my half-uneducated eye, this looks suspicious and not merely broken. Why are the SSL requests coming from a different provider's IP than the ping? Are there known viruses/malware that might hijack a connection this way? It would be nice if I had sufficient privileges on the machines to run something like SpywareS&D or AdAware, but I don't. Then again, I'm out of the loop, so maybe the problem is somewhere else entirely.
Any ideas?
I've got an odd problem, but I've been out of the scene for a few months, so I'm wondering if the following scenario rings any bells with you regulars here. My guess is virus/malware, but I'm not sure and the admins of these machines need specific info if I want them to help me. Maybe the problem is really on my end or with my ISP...
Problem: Some machines (Windows), at separate physical sites, cannot connect to any of several websites hosted on my server. At my wife's workplace, none of the 7 machines can connect. At my workplace, some machines can and some cannot - one machine might work while another right next to it (and thus on the same switch) doesn't.
Background: Both my primary DNS and web server are on the same server. The problem machines worked fine for many months, up until a few weeks ago. That time corresponds roughly with a stretch of a few days where my network was down due to hardware failure of the DSL modem. There was a problem at a third site for a few days just afterward where the user was getting bumped to some crappy web search advertising site, but that cleared up. The machines at my workplace are on a domain with an SMS server, but the quality of that server's administration is very much unknown. The machines at my wife's workplace are basically unmaintained. At my workplace, other sites appear to work fine, though one machine has similar problems connecting to my employer's webmail.
Variations on the scenario: In both cases, the problem is not a DNS problem - the site is found and nslookup works, but the web connection stalls. I am able to use SSH from problem machines at my workplace, so routing does not appear to be the problem. My wife doesn't do SSH, so I don't know about that site. However, she can ping our server successfully. My workplace blocks outgoing pings (brilliant!), so I can't check from there. But again, doesn't look like a routing issue. I have installed Mozilla at my workplace - that has the same problems. So it doesn't look like anything specific to IE either.
More Details: I did some packet captures (on the external interface of my router) this afternoon while giving my wife some instructions over the phone. Some things look odd to me, but I don't know big networks very well, so maybe I'm missing something about proxies or routing. Saw the following...
Test 1: Access webmail (SSL site) - I see the DNS query from an ameritech.net DNS node complete successfully. Then I see the SSL transaction start from a dynamic IP in broadviewnet.net. I don't know the gory details of SSL, but it looks like the machines complete a key exchange, transfer a bit of data, and then start over. She saw nothing at her end.
Test 2: Access non-SSL site - I see the successful DNS query from an ameritech.net DNS node, and then nothing. No HTTP transaction crosses my network boundary after the DNS is done.
Test 3: Access non-SSL site via IP address - zero, zilch, nada. No traffic at all.
Test 4: Ping the server - I see the successful DNS query. Then I see the ping requests/replies from/to a DSL IP in ameritech.net (which sounds right - her office uses a DSL line).
I have not yet done a packet capture from my workplace, but I'll ssh in and do a tcpdump tomorrow.
Now, to my half-uneducated eye, this looks suspicious and not merely broken. Why are the SSL requests coming from a different provider's IP than the ping? Are there known viruses/malware that might hijack a connection this way? It would be nice if I had sufficient privileges on the machines to run something like SpywareS&D or AdAware, but I don't. Then again, I'm out of the loop, so maybe the problem is somewhere else entirely.
Any ideas?
Facebook
Twitter