I was working on getting the latest GTK# to compile from source using Microsoft’s tool chain the other night. I eventually gave up because of too many errors that I just did not want to take the time to fix. However, while I was coercing the build environment trying to get things to work I kept typing “vim” out of habit on the Windows CMD window. Eventually I got tired of trying to remember that I must use either Notepad or Wordpad. So I decided to download and install Vim for Windows. I typed in vim.org on my browser’s address bar and this is what I got:

I have seen this page before. Berger had the same problem when we were moving our arsenic.ph domain to our shiny new server. Here’s what he was getting at the time:

It also appears that we were not the only ones affected by this issue. There are others who are also getting this strange page.

WTF?!?

The first time I came saw this problem was when we moved our arsenic.ph domain name to our new server. There were, admittedly, a few kinks that I had not worked out yet and DNS was among them. I was able to access our home page with no problem. But Berger complained to me about getting this “search results” page and my first suspicion was that his PC had been hijacked and that DNS queries were going somewhere else. But then he’s using a Mac. You can deny it as much as you would like, but Mac users are not immune to pwnage. I found instructions on how to reset the DNS cache for Mac OS X. We tried it to no avail. Eventually he ended up doing a wipe-n-load on his Macbook Pro.

Eventually, our new DNS settings have propagated throughout the whole DNS network. So arsenic.ph can now be accessed with no problems. I forgot about it but then it reared it’s ugly head again last night. I thought that my laptop had been hijacked so I ran HijackThis which found nothing out of the ordinary. I also downloaded and ran Spybot Search and Destroy. Nothing suspicious. Short of doing a full system scan with my AV software, I decided to take a different route.

I rebooted to Linux. Typed vim.org in Firefox and it automagically redirects to www.vim.org, Vim’s home page as it should. So what was triggering the “Search Page” on Windows?

meridiantelekoms.com is Sucks

To understand the problem, you need to understand what your OS does when you type in a bare domain name in your browser’s address bar. Typically it goes something like this:

Your OS will try to find the domain name in its local DNS cache. If this fails, it will query your first DNS server. If connecting to your first DNS server fails, it will try to connect to the second one in the list (some systems allow up to 5 backup DNS servers). If the DNS query does not return a usable IP address, your system will fall back to whatever it is you have as your “Primary Domain Suffix”. It will tack your primary domain suffix to the end of the domain name you have just supplied.

For example, you type in “nonexistentdomain.none” in your browser’s address bar. Your OS will go through with the usual query chain before giving up and using your supplied primary domain suffix. For SmartBro customers, your primary domain suffix is “meridiantelekoms.com” by default. So “nonexistentdomain.none” will be turned into “nonexistentdomain.none.meridiantelekoms.com”.

Let’s take a look at what “meridiantelekoms.com” looks like:

Look familiar? It appears that some uberleethax0r has taken over the meridiantelekoms.com website. Here is the whois data for meridiantelekoms.com as domaintools sees it.

Here is the relevant part of the whois data as reported by the command line whois tool that I have installed on Linux:

Registrant:
Maagdenberg, Ubbo
   Wilhelimanstraat 9
   Haarlem 2011vh
   NL

   Domain Name: MERIDIANTELEKOMS.COM

   Administrative Contact, Technical Contact:
      Maagdenberg, Ubbo                
      Wilhelimanstraat 9
      Haarlem 2011vh
      NL
      +31.003123 fax: +31.003123

   Record expires on 07-Oct-2008.
   Record created on 07-Oct-1999.
   Database last updated on 14-Jul-2008 12:30:54 EDT.

   Domain servers in listed order:

   NS5.WORLDNIC.COM             205.178.190.3
   NS6.WORLDNIC.COM             205.178.144.3

This “Ubbo Maagdenberg” person probably bought the expired meridiantelekoms.com domain and configured it to point to this “Relevancy Searcher” page that you keep getting if you try to enter a non-existent domain name. At the moment, this is slightly annoying when you get this “Relevancy Searcher” page. But this can turn dangerous if the server running at the IP address 69.64.58.30 was hax0red and began serving malware to unsuspecting passersby on the Smart Broadband network. It can also be turned into a staging area for man-in-the-middle attacks.

How Do You Fix This?

The fix is pretty simple if you’re behind a router. Just set your router up so that it supplies “.” (dot/period) as the Primary Domain Suffix to DHCP clients. On my WRT54G router, this can be set up under the “Basic Setup” page of the “Setup” tab on the router’s web-based admin interface. Simply change the “Domain Name” field to say “.” (without quotes).

It’s a bit more involved if you’re directly connecting your PC to your SmartBro. It depends on what OS you’re running. If you’re running Windows, the instructions found here may help. It’s for Windows 2000 but it’s still usable under Windows XP.

If you’re running Linux and your distribution is using NetworkManager or some weird automatic network configuration daemon, then you need to go to your Linux distribution’s forum and try searching for “networkmanager resolv.conf”.

For Mac OS X, you’re on your own for now, at least until September of this year.

This entry was posted on Tuesday, July 15th, 2008 at 2:07 pm and is filed under System Administration, You are doing it WRONG!!!. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.