[App_rpt-users] Got a strange error in my AT&T gateway

David McGough kb4fxc at inttek.net
Sun Jul 30 14:04:09 EDT 2017


I sent you a link to a related, but wrong article, earlier.  This link 
explains what is going on:


So, basically, what "hijacked" means is that the DNS entry for 
stats.allstarlink.org has been spoofed by AT&T, and those queries have 
been redirected to an AT&T proxy server (AKA: man in the middle) for 
"evaluation" before passing the request along to the REAL stats server.

DNS hijacking is becoming a serious problem these days, even if you set 
your DNS server explicitly to a well known address---like google 
( problem is one reason so much traffic on the Internet 
these days uses TLS (https), since using TLS will at least notify you of 
an invalid host (like a proxy server). BUT, be aware that even using TLS 
doesn't eliminate this man-in-the-middle problem, it just makes it easier 
to spot.

73, David KB4FXC

On Sun, 30 Jul 2017, George Csahanin wrote:

> Maybe I wasn't clear on this point.
> host=stats.allstarlink.org url=/uhandler.php is a valid line from rpt.conf, well, technically http://stats.allstarlink.org/uhandler.php is.
> And my stats show up in stats.allstarlink.org
> I found this on ATT forum, from another user (oddly, NOT from AT&T):
> */"the correct information in regards to the " hijacked" description 
> endings in the logs.  They are stating that the/**/*Gateway*/**/has hijacked the connection, and is providing responses.  It does not 
> mean that an external party has hijacked the connection.  The gateway 
> does this to send you error messages (i.e. in your browser), but it 
> usually causes more harm than it does good./*"
> I'll ignore this log entry. The daily reboot is still a mystery, sort of...it IS AT&T
> GeorgeC
> 2360
> On 7/29/2017 12:29 PM, George Csahanin wrote:
> > Hi all. I've been seeing a daily reboot of my AT&T gateway, has done 
> > it three times now. Looked at the logs in the AT&T box and I see several:
> >
> > host=stats.allstarlink.org url=/uhandler.php hijacked
> >
> > Anybody know what this might mean?
> >
> > GeorgeC
> >
> >

More information about the App_rpt-users mailing list