Odd Find

[Injunfett]

Alright I was searching the IP's MS own

http://206.16.223.00 To http://206.16.223.70

Looking for anything odd after seeing this part of the voicemails

Man 2: Well we're working on it. For the moment we're simply hiding the data behind a false menu item.

Well I went through them all and most of them where random Xbox sites like Conker, Rare, Rise of Nations till I hit http://206.16.223.70

When I got there I noticed that it was just a page not found, but the thing is Its a Page Not Found Setup for the IE explorer Im using Firefox that shouldnt show up like that should It?

So I typed in a random page like http://www.gegdsgds.com and got a page not found but it was firefox page not found set up. So the PNF thats showing up was actually put there by someone to hide something on that page.

It might be related to the ARG it might not but I checked them all and the fact that 70 is a HTML page not found page its kind of fishy.

[The Se7enth Prophet]

The difference between the IP and the example site you showed is that the server exists at the IP, but there isn't one at http://www.gegdsgds.com.

The page not found page should not be confused with the server not found page. The page not found page you showed does show up in Firefox all the time for me.

[Sable]

Web servers, as a rule, default to looking at a file called "index.html" to display whatever a given site's default page should be - for example, if you go to http://www.sitefour.com, then http://www.sitefour.com/index.html, you'll see they go to the same place.

If a Web server is displaying "page not found," that means that there IS a Web server (in this case, Microsoft IIS) there, but it either doesn't have an index.html page (Even a default, preinstalled placeholder) or the Web server process doesn't have an ability to access or read the file.

It's probably nothing.

[sassafras]

I also tried FTP'ing in to just see if I could poke around, but the server isn't set up for FTP transfer or else it didn't like my anonymous login

[DEM1ZE]

Hmm... I'm not sure what to think of this. Normally the page Firefox would display is:
http://i195.photobucket.com/albums/z60/ ... ferror.jpg

But then again, the one displayed at http://206.16.223.70/ does not look fake.

Just like Injunfett, I too have been searching for the "false menu item"

Man 2: Well we're working on it. For the moment we're simply hiding the data behind a false menu item.

(first post! I was in Italy for the past month and I haven't heard a thing about Iris until I got back a few days ago. I'm pretty sure I've read about pretty much everything that has been going on So awesome Hopefully I'll be able to provide a little bit of help.)

[haxflo]

OKay. Raise your hand if you have ever set up a real web server.
Now the rest of you, gather around and listen.
This is in fact a real 404 error page but it is not produced by Firefox or Internet Explorer. It is in fact produced by the webserver itself (IIS in this case).

Most webservers, and IIS is no exception, allow you to override the content of standard error responses, such as "404 - Page not found". To prove that this is in fact a standard response page go to http://206.16.223.70/typeanygarbagehere and see for yourself.

What is more suspicious here, is the fact that when you hit a URL of a directory, you will either get default.htm (on IIS) or you will get error "403 - Forbidden" and NOT 404. While it is certainly possible with enough configuration magic to force the webserver into responding with 404 instead of 403, I wonder what the purpose is here or what else might be going on.

I also telnet'd into the server on port 80 and did a manual HTTP GET request and here's what I got. It is in fact a real 404 response, not just a 404 page. The only interesting line is highlighted in bold.

GET / HTTP/1.0

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-Powered-By: ASP.NET
AWESI: 05
Date: Tue, 10 Jul 2007 02:33:24 GMT
Connection: close
Set-Cookie: BIGipServerforums.pgrnations.com.80=3895830720.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>
Connection closed by foreign host.

[Ibeechu]

Listen to T7P. It isn't a fake page; what would creating a fake 404 page do? It's because there's a server, but no page. For example, go to http://206.16.223.63/mooo It's on a real server (SotA), but the page "mooo" doesn't exist. MS didn't put a fake 404 at every page that DOESN'T exist, it's just the default page if a page doesn't exist. At 206.16.223.70, there is no index page defined, so it goes to the 404 page. This isn't some elaborate trick by Microsoft. You're looking way too far into it (for now, at least).

[haxflo]

Heh would be too easy. When default.htm does not exist, you should get a listing of the directory if it enabled or error 403 if it is not. Neither one is error 404.

[beelzebub]

Code: Select all

$ nmap -P0 -O 206.16.223.70

Insufficient responses for TCP sequencing (1), OS detection may be less accurate
Interesting ports on 206.16.223.70:
Not shown: 1695 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
554/tcp filtered rtsp
Device type: general purpose|broadband router
Running: Linux 1.X, ZyXel ZyNOS
OS details: Linux 1.3.20 (x86), ZyXel 944S Prestige router

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 10.238 seconds

So, there you go. Probably forwarding port 80 traffic to some other machine, apparently running IIS. But it's alive.