So by chance I happened to notice that a domain name was redirecting to one of my own domains, and upon looking into it further, I'm not sure what to think of it.

I own fybertech.com and fybertech.net. Fybertech.info is the fishy one. It resolves to 69.25.142.3, and looking around Google provided me with this link, which shows the server seems to host a whopping 541,900 domains.

It turns out the domain isn't even being redirected, exactly. It loads a page on their server, which opens my site in a full-page frame. While it doesn't seem to be doing anything bad that I can tell, I'm thinking that theoretically one could use Javascript to capture input typed on the page and report it back. I can't recall at the moment whether a parent frame has the ability to capture key input from a child one or not.

Anyways, I'm thinking I might just use htaccess to block anything leading to my sites with fybertech.info as a referrer. But it still leaves me wondering what the deal is with this place, and why they're redirecting to me in the first place.


EDIT: I blocked fybertech.info from referring to my site, but I discovered that another domain I manage, hazardlabs.com, has a hazardlabs.info attached to it as well (running on a different ip than the fybertech.info). None of the other domains I have ties to are like that, however.

Very strange. I'm getting "forbidden" trying to pull up fybertech.info, so I guess that's your block that's doing that.

The whois information for the IP shows:

eNom INAP-SEF-ENOM-1761 (NET-69-25-142-0-1)
                                  69.25.142.0 - 69.25.142.63

eNom is a domain name registrar. I think it's often used by domain-squatters, and ebay domain-traders. I have no idea why a domain you don't own would be there forwarding to one that you do.

The whois data for the domain is using a privacy protection service. [http://www.whois.sc/fybertech.info].

Edit: I'm not sure if they can do keylogging directly with script, but it certainly gives them the option to do things with cookies, popups, ads, web-bugs, etc. If they do google-hijacking so that their version appears higher in the search rank than the real one, they can track your traffic.

_________________
----
Ed/Bones.

OK, I found something. It looks like it's eNom trying to tack ads onto your site.

Check this out: http://www.webhostingtalk.com/archive/thread/377890-1.html

Here's the code of the page they're "redirecting" to your site with:

<html><head>

<title></title></head>
<!-- Redirection Services Red-01B-SEF H1 -->
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://fybertech.com" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src="/?a8734haka8dr781346=true" NAME=a33 frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
<noframes>
<h2>Your browser does not support frames.  We recommend upgrading your browser.</h2><br><br>
<center>Click <a href="http://fybertech.com">here</a> to enter the site.</center>
</noframes></html>

The line I find particularly disturbing is this one:

<frame src="/?a8734haka8dr781346=true" NAME=a33 frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame> 

_________________
----

Ed/Bones.

Yeah I did a whois on the domain to start with and found the privacy protection. No surprise there, eh? But the link you gave at least shows I'm not the first to have come across this kinda stuff. Here's also a list of other domains they seem to own: http://whois.webhosting.info/64.74.96.243

I saw the "/?a8734haka8dr781346=true" part too and decided to follow up on it, which loading fybertech.info with that appended to the url gave:

<script language="JavaScript">
var zflag_nid="346";
var zflag_cid="1";
var zflag_sid="0";
var zflag_width="1";
var zflag_height="1";
var zflag_sz="15";
</script>
<iframe src="http://simg.zedo.com/roimedia/tag/roimedia_enom_urlfwd_720x300.html" frameborder=0 marginheight=0 marginwidth=0 scrolling=no allowTransparency=true width=1 height=1></iframe>

Following that iframe url took me yet deeper.

<!--  Copyright (c) 2000-2004 ZEDO Inc. All Rights Reserved. -->
<HTML>
<HEAD>
<TITLE>Advertisemen</TITLE>
<link rel="P3Pv1" href="/w3c/p3p.xml">
</HEAD>
<BODY marginwidth=0 marginheight=0 leftmargin=0 topmargin=0 style="background-color:transparent">
<script language="JavaScript" src="http://simg.zedo.com/roimedia/tag/roimedia_enom_urlfwd_720x300.js"></script>
</BODY>
</HTML>

It seems to finally end there with that javascript file, which appears to be designed to dish out ads from what I can tell by first glance. All I know is that I don't appreciate what they're doing, and will be blocking the hazardlabs.info one as well.

Yoink!

I've been looking for a free reverse IP lookup tool everywhere. Tends to come in handy, but the only other one I've seen is on whois.sc, and their's isn't free past the first 5 domains. Thanks.

Well, that doesn't look like a true reverse-lookup tool, but rather a tool that tracks how many domains have 'forward' A records to the IP in question... An A record for the domain itself, not any particular subdomain, such as www, that is.

Heh, it wouldn't be hard to hack together a CGI script to just do a 'dig' and spit out the results. :)

_________________
----

Ed/Bones.

I wasn't talking about doing a reverse lookup on an IP and finding a single domain. On occasion I need a tool to tell me what other domains are hosted on the same IP (sometimes just for an idea of how many other domains are hosted). That typically requires a rather big database behind it recording all the results on domain lookups and selecting all the ones that point to the same (requested) IP. I don't know many people with the resources to keep an up-to-date database like that, so I could imagine places that already do whois lookups offer that service is about the only viable way to do it, and finding places that'll offer full lists like FyberOptic mentioned for free is rather rare. Whois.sc offers the same service, but it's not free past the first 3 (I mentioned 5 earlier, but it is in fact 3) as you can see here (free reg req): http://www.whois.sc/reverse-ip/64.74.96.243