Phantom Redirect


#1

Hello all,

I’m having the most puzzling problem. I am getting a very strange
redirect:

http://kritiq.us/

GET / HTTP/1.1

Host: kritiq.us

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

HTTP/1.x 302 Moved Temporarily

Server: nginx/0.6.16

Date: Tue, 20 Jan 2009 20:05:28 GMT

Content-Type: text/html

Connection: keep-alive

X-Powered-By: PHP/5.2.0-8+etch13

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Tue, 20 Jan 2009 20:05:27 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0

Pragma: no-cache

Location:
http://sedoparking.com/search/registrar.php?domain=kritiq.us&registrar=sedopark

Vary: User-Agent,Accept-Encoding

Content-Encoding: gzip

Content-Length: 170

X-Cache: MISS from 226072

I have no idea where this redirect is coming from. I have no idea what
sedoparking is. I don’t have any PHP on the server, or even have it
installed, for all I know. This is a rails project, it’s using the
config here:
http://pastie.org/365988

Can anyone give me a direction on this? I’m completely lost as to where
this is coming from and how to stop it.

BJ Clark


#2

Seems an expired domain to me.


#3

Check that your DNS isn’t pointing to Sedo’s parking servers.


#4

Yes, it looks like it’s the same Nginx.

I’m now looking into if this is a security issue (ie, I was somehow
haxored and have figured it out).

I contacted slicehost and they’ve never seen anything like this either.

BJ Clark


#5

The domain isn’t expired (I checked), but it might also be a problem
with Slicehost. Does the version of Nginx listed in the HTTP headers
match the actual version you have installed? It might be Slicehost
uses Nginx and they are redirecting your domain.

Cliff


#6

On Tue, 2009-01-20 at 20:58 -0800, BJ Clark wrote:

Yes, it looks like it’s the same Nginx.

I’m now looking into if this is a security issue (ie, I was somehow
haxored and have figured it out).

Try disabling Nginx altogether in your VPS and see if it still happens.
You might even try running a different service on port 80.

If it still happens then I’d venture that your domain name isn’t
pointing to the correct IP address or that something is misconfigured on
Slicehost’s end (they are sending the IP to the wrong VPS).

Cliff