7Timer Highjacked

[Rick Petrie]

Tried logging on to 7Timer for weather predictions and link came up with a Web Hosting site.??????
What the........
Is everyone having this problem or is 7Timer history???

[Allan_L (Allan)]

seems to be working fine for me at the moment, Rick.

[Rick Petrie]

Quote:

Originally Posted by Allan_L

seems to be working fine for me at the moment, Rick.

Thanks Al
I seemed to have picked up some Malware on my saved links.
Problem now fixed.

[pluto (Hugh)]

The old URL 7timer.y234.cn no longer works, the new URL 7timer.com is fine.

[multiweb (Marc)]

Their IP [202.127.24.18] seems to work but the domain 7timer.com doesn't resolve properly for me. It's on and off. Have they been having a change of servers again?

[Rodstar (Rod)]

I use the iPhone app Sky Harbinger, which relies on data from 7Timer. It was offline for about a week up until a few days ago. I wonder if that was connected to the issues others have been experiencing??

[GTB_an_Owl (Geoff)]

refer to pluto's post above Rod

took me a while to work out what was happening on my weather site with 7Timer links ( http://weather.gtbonline.com.au )
i had a mixture of the two addresses - hence some worked, some didn't
everything works on 7timer.com now

geoff

[IanParr (Ian)]

This is the internet folks. It pays to be paranoid.

Until I know better my NoScript blocker keeps 202.127.24.18 firmly in my Untrusted list and I'll use Astro Panel on my Phone and monitor what's happening before using the 'new' 7Timer on my PC and I think for good reason.

Internet security starts and ends with the browser. If you have one tough password it should be on your browser and you need a good script blocker.

Using the command line and Tracert outside my browser 7Timer.com resolves as 31.170.160.98 and without reference to 202.127.24.18 in is trace.

In Firefox the URL is going to 202.127.24.18. That address traces eventually all the way without reference to an normally invisible PRIVATE address 192.168.2.2. Private Networks 10.0.0.0/172.16.0.0/192.168.0.0 should not be visible nor routeable over the internet).

Could be innocent lag while DNS Databases refresh for the name change but could be an attempt to open the door to your PC.

Unresolved name 202.127.24.18 ?

Tracing route to 202.127.24.18 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms NB604N.Home [192.168.1.1]
2 15 ms 14 ms 15 ms 10.20.22-15.tpgi.com.au [10.20.22.15]
3 17 ms 15 ms 16 ms 203-29-129-132.static.tpgi.com.au [203.29.129.132]
4 128 ms 127 ms 126 ms cstnet2-RGE.hkix.net [202.40.161.238]
5 128 ms 128 ms 128 ms 8.192 [159.226.254.213]
6 165 ms 166 ms 165 ms 8.198 [159.226.254.253]
7 167 ms 166 ms 167 ms 8.131 [159.226.253.53]
8 165 ms 164 ms 163 ms 8.206 [159.226.253.70]
9 187 ms 187 ms 187 ms 192.168.2.2
10 * ^C

One it gets to the so called Private address 192.168.2.2 it becomes untraceable which may its purpose.

However 7Timer.com outside my browser resolves as 31.170.160.98 and traces eventually all the way without reference to 202.127.24.18.

Tracing route to 7timer.com [31.170.160.98]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms NB604N.Home [192.168.1.1]
2 39 ms 15 ms 15 ms 10.20.22-15.tpgi.com.au [10.20.22.15]
3 16 ms 15 ms 15 ms syd-pwk-dym-csw1-tg-3-2.tpgi.com.au [203.26.20.17]
4 15 ms 15 ms 15 ms syd-pwk-dym-crt1-ge-4-0-0.tpgi.com.au [203.29.135.137]
5 15 ms 15 ms 16 ms syd-sot-ken-crt3-TG-12-3.tpgi.com.au [203.29.135.129]
6 16 ms 19 ms 19 ms 203-219-35-4.static.tpgi.com.au [203.219.35.4]
7 169 ms 177 ms 170 ms 10ge1-3.core1.sjc1.he.net [72.52.93.37]
8 177 ms 174 ms 174 ms 10ge2-1.core1.sjc2.he.net [72.52.92.118]
9 169 ms 170 ms 169 ms 72.52.80.74
10 176 ms 174 ms 169 ms bbr02snjsca-bue-6.snjs.ca.charter.com [96.34.3.2]
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 240 ms 239 ms 239 ms bbr01atlnga-bue-5.atln.ga.charter.com [96.34.0.36]
15 235 ms 235 ms 235 ms crr01sghlga-bue-3.sghl.ga.charter.com [96.34.2.71]
16 236 ms 236 ms 237 ms crr02sghlga-bue-100.sghl.ga.charter.com [96.34.73.93]
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 247 ms 246 ms 247 ms ahvl.immedion.charter.com [68.115.192.218]
24 250 ms 250 ms 250 ms 67.23.161.157
25 249 ms 249 ms 251 ms 67.23.161.129
26 252 ms 250 ms 252 ms ashv1.main-hosting.com [208.69.231.10]
27 249 ms 249 ms 250 ms 31.170.160.98

Trace complete (eventually) .

I'm no IP or web expert and maybe Marc can comment, but I think this is wacky enough to deserve quarantine.

Ian Parr

[mithrandir (Andrew)]

I don't know where you're getting the 202.127.24.18 address, but I do recall 7timer having a Chinese IP.

$ whois 202.127.24.18
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '202.127.16.0 - 202.127.31.255'

inetnum: 202.127.16.0 - 202.127.31.255
netname: CSTNET
descr: China Science & Technology Network
descr: No.4,4th South Street, Zhong Guan Cun, Haidian District,
descr: P.O.Box 349,Beijing 100080
country: CN
admin-c: LH90-AP
tech-c: LH90-AP
status: ALLOCATED PORTABLE
remarks: Send abuse reports to antispam@cstnet.cn
changed: ipas@cnnic.cn 20080625
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CN-CSTNET
source: APNIC

person: Li Hong
nic-hdl: LH90-AP
address: No.4, Zhongguancun 4th South Street, Haidian District, Beijing
phone: +86-10-58812000
fax-no: +86-10-58812900
country: CN
changed: chentao@cnnic.net.cn 20041109
mnt-by: MAINT-CN-LIHONG
source: APNIC

% Information related to '202.127.16.0/20AS7497'

route: 202.127.16.0/20
descr: Route origin from CSTNET
country: CN
origin: AS7497
remarks: Please contact lihong@cstnet.cn if you have any
remarks: questions regarding this object.
remarks: Antispam mail please send to antispam@cstnet.cn.
notify: lihong@cstnet.cn
mnt-by: MAINT-CN-CSTNET
changed: lihong@cstnet.cn 20090510
source: APNIC

% Information related to '202.127.16.0/20AS7497'

route: 202.127.16.0/20
descr: Route origin from CSTNET
country: CN
origin: AS7497
remarks: Please contact lihong@cstnet.cn if you have any
remarks: questions regarding this object.
remarks: Antispam mail please send to antispam@cstnet.cn.
notify: lihong@cstnet.cn
mnt-by: MAINT-CN-CSTNET
changed: lihong@cstnet.cn 20090510
source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS2)

$ dig -x 202.127.24.18

; <<>> DiG 9.8.4-P2 <<>> -x 202.127.24.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35338
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;18.24.127.202.in-addr.arpa. IN PTR

;; Query time: 554 msec
;; SERVER: 61.9.194.49#53(61.9.194.49)
;; WHEN: Mon Jun 9 14:57:11 2014
;; MSG SIZE rcvd: 44

which means there is no valid reverse lookup. On the other hand it now seems to be hosted in Lithuania.

$ dig 7timer.com

; <<>> DiG 9.8.4-P2 <<>> 7timer.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9456
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;7timer.com. IN A

;; ANSWER SECTION:
7timer.com. 3289 IN A 31.170.160.98

;; Query time: 14 msec
;; SERVER: 61.9.194.49#53(61.9.194.49)
;; WHEN: Mon Jun 9 14:51:53 2014
;; MSG SIZE rcvd: 44

$ whois 31.170.160.98
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '31.170.160.0 - 31.170.163.255'

% Abuse contact for '31.170.160.0 - 31.170.163.255' is 'abuse@main-hosting.com'

inetnum: 31.170.160.0 - 31.170.163.255
netname: HOSTING
descr: Main Hosting Servers
country: US
admin-c: HN1858-RIPE
tech-c: HN1858-RIPE
status: ASSIGNED PA
mnt-by: MNT-HOSTINGER
source: RIPE # Filtered

person: Hostinger NOC
address: Hostinger, UAB
address: Europos pr. 32, Kaunas
address: Lithuania
remarks: ---------------------------------------------------
remarks: Abuse and intrusion reports should be sent to:
remarks: abuse@main-hosting.com
remarks: ---------------------------------------------------
phone: +37064503378
abuse-mailbox: abuse@main-hosting.com
nic-hdl: HN1858-RIPE
mnt-by: HN19812-MNT
source: RIPE # Filtered

% Information related to '31.170.160.0/22AS47583'

route: 31.170.160.0/22
descr: HOSTINGER US
origin: AS47583
mnt-by: MNT-HOSTINGER
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.73.1 (DBC-WHOIS3)

[IanParr (Ian)]

That's what comes up for me and Marc in our browsers when we enter the url 7Timer.com.

The address changes to http:/ /202.127.24.18 in the address bar ('/ /' is to stop this ending up as link)

China Science & Technology Network sounds about right but either way I am puzzled and therefore cautioned by the behavior.

Ian

[mithrandir (Andrew)]

Quote:

Originally Posted by IanParr

That's what comes up for me and Marc in our browsers when we enter the url 7Timer.com.

The address changes to http:/ /202.127.24.18 in the address bar ('/ /' is to stop this ending up as link)

China Science & Technology Network sounds about right but either way I am puzzled and therefore cautioned by the behavior.

OK figured it out.

www_dot_7timer_dot_com (stupid software insists on making it a URL even after I tell it not to) sends a "301 Moved Permanently" to 202.127.24.18

You choice is unblock the address or stop using 7timer.

[IanParr (Ian)]

Brutal but fair. After you sir. The waters fine.

[multiweb (Marc)]

Quote:

Originally Posted by mithrandir

OK figured it out.

www_dot_7timer_dot_com (stupid software insists on making it a URL even after I tell it not to) sends a "301 Moved Permanently" to 202.127.24.18

You choice is unblock the address or stop using 7timer.

301 - correct. I've used a curl script to check connectivity for my feeds for the past 4 months and I've temporarily hardcoded the IP in the query string. As said previously the domain 7timer.com resolving is shaky at best still.