IE being hijacked ?? - Any ideas ?

deadl0ck

I wrote a program that searches for downloadable files, and it has som banner s on it, but the other day, on 1 particular PC I found something strange happening - the banner list wouldn't download, for some reason it was being redirected to real.com.

I tried the banner list in IE and the same thing happened:

The URL the program (and IE - the program uses the IE Control) tries to get is:

http://www.mameromlinks.com/banner_list.txt

But when I type it in I get redirected to

http://www.real.com/banner_list.txt

Which does not exist.

Now - If I type this URL (the correct one) in Mozilla Firebird, I get the file correctly.

Now the very weird part - If I track the HTTP traffic using Ethereal here's what I get from IE:

GET /banner_list.txt HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-quickviewplus, */*
Accept-Language: en-ie
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
Host: www.mameromlinks.com
Connection: Keep-Alive

HTTP/1.1 301 Error
Location: http://www.real.com/banner_list.txt
Server: Microsoft-IIS/5.0
Content-Type: text/html
Content-Length: 158

But here's what I get from the trace on Mozilla Firebird:
GET http://www.mameromlinks.com/banner_list.txt HTTP/1.1
Host: www.mameromlinks.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate,compress;q=0.9
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: admin=Um9tTWFzdGVyOmE4OGQyNmZkMGEyYWUyYmExYzQzNzM2MWVhNjYxN2QwOg%3D%3D; phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; user=MzpSb21NYXN0ZXI6YTg4ZDI2ZmQwYTJhZTJiYTFjNDM3MzYxZWE2NjE3ZDA6MTA6OjA6MDowOjA6M0QtRmFudGFzeTow; lang=english; phpbb2mysql_sid=91c5997c0cce3a16b5d870a4c1374b7e


HTTP/1.1 200 OK
Via: 1.1 PROXY2000
Content-Length: 187
Date: Tue, 09 Sep 2003 16:05:08 GMT
Age: 0
Content-Type: text/plain
Server: Apache/1.3.27 Ben-SSL/1.48 SHC/1.6 (Unix) mod_jk/1.2.2 PHP/4.3.0 AuthMySQL/2.20 FrontPage/5.0.2.2510
Last-Modified: Thu, 01 May 2003 14:10:00 GMT
ETag: "bcb8de-bb-3eb12ab8"
Accept-Ranges: bytes
Keep-Alive: timeout=15, max=100

http://www.mameromlinks.com/pse_banners/slikstik.html
http://www.mameromlinks.com/pse_banners/donate.html
Latest Version=1.01
Update URL=http://www.mameromlinks.com/Downloads/mame067b.zip

So basically, IE is being redirected.

If I do it on another PC on the same network using IE (and the same proxy) it doesn't happen, so it's specific to my PC (and not a proxy problem)

I've run AdAware and SpyBot on my machine and they find nothing....

All I can think is that my IE HTTP Session is being hijacked....Any thoughts on this ???

soiaf

Interesting...

I connected to www.mameromlinks.com and pretended to be
your browser (I directly connected to port 80 using telnet and sent the GET request exactly as your Ethereal dump shows) and I got the 'correct' response (the response with the e-tag etc.)

Few questions, how come you seem to be going directly with IE but are using a proxy server with Mozilla? I know you said you tried someone elses PC (with IE), maybe they are going through the proxy and you're not? You don't have www.mameromlinks.com set up in your bypass-proxy list or something?

Now the strange thing is that it is the web server that is responding with a 301 (this page has permanently moved).
Why I'm confused is that normally I would suspect that the end server is redirecting you based on some information you're sending (user agent, cookies, whatever), but that doesn't seem to be the case. I would then suspect that it may have a rule based on IP ranges, but if another PC in the same network can access that would seem to shoot down that theory. So then I would think that you're not really connecting to the server that you think you are, like you're talking not through a proxy server and talking to a different server. You don't have www.mameromlinks.com setup in your hosts file on your machine by any chance pointing to a machine in your local network which for some mad reason points to a local machine (I frantically grasp at straws).

Have you tried pinging www.mameromlinks.com and see what IP address your machine resolves the IP address (and if that works try from the other 'working' PC). I resolve it to 64.125.72.2
Have you tried connecting to any other pages on this site?

Sorry I can't be of more help, quite weird sounding problem...

By the way, you shouldn't really post on the Internet with your Proxy-Authorization string, its very simply encoded and you give your authentication details in it.

deadl0ck

Whoops - hadn't noticed my Base64 Encoded User/pass there....gone now...

deadl0ck

Problem solved...

That's what you get when you go on holidays and your work mates decide to add their own settings to your machine to piss you off when you come back.......

So basically - the whole problem was contrived :rolleyes: