North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: paypal down!

  • From: Kevin Day
  • Date: Wed Nov 16 00:20:21 2005

On Nov 15, 2005, at 10:22 PM, Hannigan, Martin wrote:

No chance. Do you have the attributions wrong here? Even your own website
says that 404's are 70% burp-factor - which I would tend to agree with
for the most part. Not enough httpd spurned, reloads, bad pages, etc.

And oddly enough, no mention of the possibility of malware. Time to
update. :-)

Sorry, I guess I wasn't quite clear. No, I'm not suggesting that you specifically have a trojan on your system(I know from your reputation that's not happening :) ), or that I believed that malware was definitively the cause for the original poster's problem either.

The point I was trying to make was malware does cause these exact problems, and those attempting to support end users reporting these problems need to keep trojans and other spyware in mind when researching "{big_important_site} is down!!!' complaints, when it appears to be up from everywhere else you look.

One really strange example happened about 6 months ago. One of our "adult oriented" customers started getting emails from people saying that their adult site was showing up to lots of users when they tried visiting a certain list of sites (PayPal, eBay, Google, CNN, Hotmail, etc). These users could still access small sites fine, but when they entered any of the larger sites in their browser, they got a rather graphic page from porn site instead. We took down the page that the viewers were being redirected to and put a "Seeing this message instead of the site you expected? Email us for help". After talking to a few dozen people who wrote in, we finally figured it out. It turns out that the common thing between all the people sending complaints about this was that they were infected with an MSIE "Browser Helper Object" that was redirecting traffic to any of these sites to a HTTP proxy in Russia. This proxy was taking any request and redirecting them to my client's URL. I'm guessing they were sniffing for private info or inserting pops in the HTML or something, and decided they were done. Why they didn't just kill the proxy server instead of showing unsuspecting users "adult materials" isn't really clear, unless it was meant to be some juvenile "fun".

I'd be curious to see if anyone on the ISP side of things has made a list of recent/common IP addresses and hostnames that malware attempts to connect to or resolve, and looked for accesses in name server logs and netflow records to get an idea of what percentage of end-users end up hitting them. I'm willing to bet it's disturbingly high.

-- Kevin

(And I can't take credit for 404lab, not my site at all) :)