Marriott Server Compromised, Rerouting Guest's Internet To Casino Scam Site?

Will’s mom was surprised when opening up her laptop at a Marriott to find that if you mistyped addresses, it took you to a popup that said, “CONGRATULATIONS!!! YOU’VE WON VIRTUAL REALITY CASINO ! CLICK on OK and Get up to +200$ BONUS NOW!”

When Will changed around the server settings to use a public DNS server instead of Marriott’s, the problem disappeared, leading Will to think someone had “poisoned” Marriott’s DNS servers to drive traffic to their casino scam page(s). He then reported this to Marriott’s techs. We’ve spoken ourselves with Marriott’s server people and they confirm that the secondary DNS is wacked but they need to investigate further.

Could this be Cisco 4400 series virtual gateway IP address being 1.1.1.1 and getting taken advantage by malicious forces unknown? Next time you’re at the Courtyard Marriott on Cerrillos Rd in Santa Fe, NM, run a traceroute and tell us.

We have no idea, but even if this turns out to have an innocuous explanation, travelers should be extra-cautious when using unknown internet connections. — BEN POPKEN

Comments

Edit Your Comment

  1. MercuryPDX says:

    Dude! Calling your mom a newb while she’s IN THE ROOM… uncool.

    LOL

  2. LatherRinseRepeat says:

    Marriot Sever Compromised..

    I think you meant to use “server” here. :-)

    Also, check out OpenDNS before you hit the road with your laptop..

    http://www.opendns.com/

  3. ncboxer says:

    Maybe some of us would like to get a $200 bonus(!!!) and go to this wonderful casino site.

    First, though, Mr. Oduobi Tokunbo has promised me $10 million dollars for helping him, so I have to spend some money helping him before I can go to the casino site. Then I’ll book at a Marriott so I can get my wonderful bonus.

    Thanks!

  4. milk says:

    I’m Will, the guy who made the video. I know about openDNS, and I used a public DNS server after I found out that the network might be compromised. Additionally, I did not call my mom a nub, i was trying to imply there may be some people who mistype a web address or don’t understand how to properly format a URL. My mom is a leet haxer and is extremely amazing with computers. Additionally, my mom was in the shower, and my sister was the one who laughed. Besides – my mom, my sis, and I all call each other nubz.

  5. silencedotcom says:

    I love his mom yelling in the background. Instant classic!

  6. mermaidshoes says:

    dude, i think i prefer this other marriott problem… intense. hope neither one ever happens to me.

    http://www.youtube.com/watch?v=lJzlUEApmgo

  7. jbhall56 says:

    While a cure video, you did not talk to Marriott regardless of how they answered the phone.

    Marriott properties are almost all franchise operations and those actually owned by Marriott are operated just like the franchise operations. Marriott only dictates back office applications not Internet service for guests. Marriott was involved in this in name only. Their network and help desk never even knew about this incident.

    You talked to the ISP that provides Internet access to the guests at the particular Marriott hotel your mother was staying. Could have been any of the major hotel Internet access providers or any other ISP including the local cable company.

    So, there’s a surprise, an ISP that had their DNS poisoned. Like that’s never happened. :)

  8. Sudonum says:

    @mermaidshoes: What do you think happens when the toilet in the room above you overflows? Water goes downhill.

  9. EtherealStrife says:

    @silencedotcom: Good stuff.

    I’ve gotta commend whoever set up that casino redirect. Nice easy way to make some bucks on the side, and it looks fairly innocent to “newblets”

  10. Ahhh. I wish there was a transcript available so those of us at work could read it.

  11. Kalik says:

    @ Holden Caulfield

    I’m wishing for the same thing!!!

  12. 6502programmer says:

    We have no idea, but even if this turns out to have an innocuous explanation, travelers should be extra-cautious when using unknown internet connections.

    I would say this is fairly obvious. In god we trust. All others, verify.

  13. shftleft says:

    Lather has a good point about OpenDNS, it works especially well for people who are prone to typos and are not very savvy.

    Make sure your DNS servers are *statically* assigned to the OpenDNS servers *on your host* (not configured in your local linksys router or your DHCP server as some of the tutorials describe). Otherwise when you DHCP on a public Internet connection you’ll be using their DNS servers and susceptible to this type of attack.

    The user in the vid should be wary of *any* public internet connection, *especially* hotels and coffee shops, which usually don’t have a local staff to keep the physical and logical local systems secure.

    The creator of the vid suggests a DNS poisoning attack which is possible in this case, but not very plausible if every valid domain was resolving to a valid IP. If it was DNS poisoning, the attacker did a good job a recreating the google page for purposes of stealing search queries.

    My guess would be that someone hacked the local NAC solution that authenticates users as they connect to the network. When you first connect to the network any DNS query you type in resolves to the local authentication server, after you auth, you’re then allowed to access the DNS servers directly and bypass the NAC solution, as the user states, based on MAC address.

    Recent vid about hacking the Cisco NAC solution, bypassing any wireless/wired NAC solution has proven to be quite simple.

    http://www.net-security.org/article.php?id=1001

  14. TomD says:

    I am the manager of this hotel. After seeing this video, we have shut down the server and are ensuring that all security issues are addressed before it is restored.

    My thanks to Will for the information, we did know of the issue until it was posted here.

  15. tinychicken says:

    @Holden Caulfield: amen. I can never watch the fun videos.

  16. wesrubix says:

    well done TomD.

    Always glad to a) see geeks on the righteous defense for the less geeky :)
    and b) see a manager react respectfully and responsibly

    Poisoned DNS is a real pain, and very hard to “auto-detect” so kudos to the sluthing here.

  17. milk says:

    Thanks TomD, I tried to let management know, but everyone at the front desk looked at me with a OMGWTFBBQ-face when I suggested that the DNS server was compromised. The PC in the lobby had a BSOD on it and two housekeeping people thought I had magical abilities when i held the power button down for 5 seconds, forcing it to turn off and reboot. It should also be noted that the PC in the lobby did not have this FREE CASINO MONEY issue. I’m guessing it is on a separate network, as GTS was not managing it.

  18. chris_b says:

    I am the director of engineering for the manufacturer (IP3) of the gateway (www.ip3.com). I have investigated the unit with the service provider for the hotel. Will I would like to discuss this with you if possible, although I do not have any contact information for you. You can reach me at cb at ip3 dot com. I am not at liberty to discuss the specific details of the network there since I am with the manufacturer/supplier of the gateway appliance (and not the network operator). What I can say is that all of the DNS queries for this property are handled by the upstream ISP, and not locally on the gateway. The behavior of our device is to server internal IP addresses to all clients for DNS, and then redirect ALL DNS queries for the network to those configured IP addresses.

    A question I have for Milk is what is the behavior configured on both web browsers when you enter an invalid URL? I ask because IE, and most others will automatically append a .com TLD to an entry in the address bar that is not a valid URL, either that or send the data to a search engine. It is not clear to me which of the behaviors is occurring in this case. I also agree with shftleft that a specific DNS poisoning attack while possible is unlikely. Where I disagree with him is in regards to the system being compromised. This is an embedded appliance and absolutely nothing like the Cisco NAC solution in comparison; also there is no evidence or data to support anything like this having occured.

    I just wanted to add our perspective to this, we are continuing to work with all parties involved to determine the root cause for this situation. Will if you are available to contact me so I can obtain more details about what occurred that would be great.

    Chris

  19. Joafu says:

    And the Consumer saves the day! Another nooblet saved from destruction! Dum da dum!

  20. ProvidedBy says:

    Milk:

    Do you know what DNS even stands for? If not, please ask your technology education teacher which you learned the phrase from (assuming you are still in grade eight). This issue is clearly not with any type of a DNS Poison attack because if it was so, there would be a city wide pandemic regarding this issue (seeing how AT&T is the ISP and holds several large corporations and business in the area as clients). I also stayed at this exact courtyard in this exact room (ironically) a few months back. I must say that there was no issue if I were to type in a wrong address. MY browser settings were (and still are correct) on both my Windows and Unix based machines. For the win, DNS stands for Domain Name System. Nice immature elite speak by the by. If you do play any games (not kiddie games such as Halo), let me know, I would love to play you in Counter-Strike 1.6 (and show you how a CAL-Premier player plays video games).

    As a computer security expert, I can tell right off the bat this is an issue caused by a usseek.com rootkit. Download a rootkit revealer and see what you have! Hooray rootkits!

    Shftleft:

    Do you have your CCNA yet? If not, take a course and fresh up on the NAC solutions. The IP3 is not a cisco product or even anything close to a nac solution. I have personally worked with an IP3 and have come to grips with the fact that it surpasses the Cisco products in both ease of use and security.

    PS: There is no Cisco gateway, again, it is a NetAccess IP3.

  21. chris_b says:

    After further investigation of this issue, we believe the source of the problem is a root kit on the specific machines in question. The following site lists a root kit for MS Windows from 12/05: http://www.bleepingcomputer.com/forums/lofiversion/index.p

    The URLs listed in the details of this root kit are identical to those seen on the video of the problem. From the site listed above: ” first it will go to euroseek.com then switches to usseek.com”.

    I am not saying 100% this issue, but it seems extremely likely. I have not confirmed if such a kit exists for the Mac, but this root kit is known to spread through a LAN and exhibits the identical behavior to what was seen in the video.

    Chris

  22. milk says:

    None of the computers we used have an viruses or root kits. Also, the link you provided for info about the rootkit does not work, however google cache of the page reveals that they did not find exactly what was causing the problem. Furthermore, i find it highly unlikely that a brand new Macbook pro would have the same problem as one from thanksgiving of last year. I think that GTS fixed the problem yesterday, and everyone is trying to sweep this under the rug by blaming it our computers/negligence.

  23. milk says:

    @ProvidedBy:

    Sure, i do. I have a DNS Server on my box in Dallas. I was trying to use fake leet speak as satire, humour, and to relate to the lower common denominator of the Internet world. Most people would turn off a video that is in a monotone voice about some guy’s problem at a hotel. I love leet haxers and nubbies alike. I am both, and yet neither.

    It doesn’t have to be a DNS poisoning attack. I just said it was a possiblity especially with the recent windows server vulnerability. I don’t know what it was for sure. Only GTS knows.

  24. ProvidedBy says:

    Milk:

    You mentioned that you used a new macbook pro and one from thanksgiving which had the same issue. I did not notice any other mac book pro in your video. Would you care to elaborate?

    You should also know that this is clearly a rootkit and can be found with a rootkit revealer.

    Look up rootkit via google, you obviously do not know what a rootkit is.

  25. milk says:

    @ProvidedBy:

    My mother had this issue back in Thanksgiving, and my Sister, who came into the hotel a few days after we checked in (and experienced the problem), also experienced the problem with her computer ( a Newer MacBook Pro). I did not record her computer going to the FREECASINOMONEYPAGE because i did not think it was necessary. Great, you still think i have a rootkit. Would you like to come to my house and scan my computer, my mother’s computer, and my sister’s for me? I would go into my mother’s qualifications, but she has asked her identity not to be revealed. You will have to trust that we do not have rootkits, trojans or any other viri.

  26. ProvidedBy says:

    It would help the entire community of geeks ;) and consumers to take action if there was some proof and more credibility to your story. Sure that video is pretty convincing, but all in all, we haven’t seen any hardcore proof such as a log from a rootkit revealer or even a hijack this log.

    Now don’t get me wrong, I am not saying that this didn’t happen, nor calling you, Milk, a liar. No, I am just looking for some justification from where you are coming from.

    If you would rather talk about this in IRC or via IM, let me know — I would love to pick your brain from one geek to another.

    To make myself clear, I am not siding with anyone, I just feel that there should be more evidence presented. USSEEK and OWNBOX are known rootkit and malware affiliates.

  27. milk says:

    @ProvidedBy:

    Which particular product would you like me to video or send you a log from? What do you suggest for both my mother’s mac, and my PC. The mac runs OSX and is an intel machine, my PC runs windows XP Professional SP2. My Router, which reported the incorrect DNS address as well (according to GTS) runs the latest version of linksys’s firmware.

  28. milk says:

    My mom just used rootkit hunter, and confirmed that she has no rootkits. I used rootkit revealer, which brought up a false positive for Daemon tools, and hidden msn data. It also complained about failing to mount my CD rom drive. It also didn’t like some PIN data.

    The thing that gives me comfort, is that now, when i’m home, i do not have any problems surfing.

    Which particular product would you like me to video or send you a log from? What do you suggest for both my mother’s mac, and my PC. The mac runs OSX and is an intel machine, my PC runs windows XP Professional SP2.

  29. shftleft says:

    ProvidedBy:

    based on the limited evidence in the video I was assuming that the hosts were clean because

    1. the user sounded like he knew what he was doing, and
    2. if the hosts showed their behavior at home or other places it wouldnt be much of a story and not worth taking a video of.
    3. not much malware out there targets both PC and mac with the same behavior

    Based on his follow up posts it seems to be the case (unless he’s downright lying).

    Without any forensic evidence (http proxy logs, sniffer traces) I spouted the first thing that came to mind as a brainstorming exercise, and I used Cisco NAC bypass/hacking as an example, I *did not* say this particular situation was due to a Cisco specific vulnerability, or that Cisco was the vendor in question.

    I admittedly have not worked with IP3 or know much about the solution, but I have pen tested both Cisco and Aruba’s solutions for wireless NAC and have found holes in both implementations, and have been able to both bypass the NAC for access and re-configure the NAC access config for password stealing, etc.

    Comparing vendors and stating that IP3 “surpasses” Cisco in security and “ease of use” is irrelevant. Does that mean that someone couldn’t have misconfigured the product or even maliciously configured it for fun or their own personal gain?

    p.s. In my experience people who berate and attack others about certifications and spout of about how they’re “security experts” on the Internet are usually far from it.

    p.p.s. To the IP3 rep: I’m wasn’t trying to bash a vendor (IP3) or tout my knowledge(or lack of =P) in this case, just trying to offer solutions other than “the hosts must have malware”, which it seems like they don’t.

    Milk:

    a tcpdump of the whole http session where you type in a bogus domain name would be of great help to settle this issue

  30. milk says:

    @shftleft:

    Sorry :(. I didn’t do any log dumps, or record my traceroutes (I most certainly will in the future). I thought someone would find out the problem from the inside and be willing to share the result, but I now realize that staying in business, for the people who provide that service for the Marriott in Santa Fe, is all about “covering your ass”. I really appreciated the Manager’s input and my communications with him prove that he knows how to handle issues like this. I also know that for businesses, it is not about having a record of no problems, but the way in which the business handles problems, that matters.

    +1 for Marriott.