Why is www.grooveshark.com being redirected to 127.0.0.1?

5

I think I'm experiencing some kind of local DNS issue. I just noticed today that when I tried to visit www.grooveshark.com, the url is being mapped to 127.0.0.1, because I'm being served by my home web server:

enter image description here

I've had my web server up and running on my machine on port 80 for forever. This is the first time I've ever seen it get served up in place of a site like this. It seems to me as though some sort of ad blocking software is trying to block grooveshark.com by redirecting all requests to 127.0.0.1.

I've heard of doing things like this with one's 'hosts' file, but I've never mucked about with that. I know adblock plus doesn't have a rule for grooveshark. Other than that, all I can think of is that I've recently performed a scheduled update and run of Spybot S&D like I do every few weeks.

NS Lookup

> nslookup www.grooveshark.com
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:    grooveshark.com
Address:  8.19.240.53
Aliases:  www.grooveshark.com

Alain

Posted 2011-10-25T21:10:42.597

Reputation: 803

3Try a nslookup www.grooveshark.com to find out what you recieve from dns. – Jens Erat – 2011-10-25T21:15:08.483

@Ranon - Added, thanks. Looks like DNS isn't the problem. – Alain – 2011-10-25T21:22:35.490

2Note that grooveshark.com (which you are trying to open) and www.grooveshark.com (which you are giving to nslookup) are technically two different domains. It just happens that in this particular case one is an alias to another, but @Ranon, don't forget the difference. – user1686 – 2011-10-25T21:29:15.620

Looks fine, this domain resolves to the same IP address with me. Still having problems? Having problems in all browsers? @grawity Hadn't seen it in address bar yet. Alain: www.grooveshark.com in browser doesn't work either? – Jens Erat – 2011-10-25T21:30:41.510

2@Alain: Have you checked %SystemRoot%\system32\drivers\etc\hosts if it contains the Grooveshark domain? (nslookup does not read that file.) Also, is either browser configured to use a proxy server? – user1686 – 2011-10-25T21:30:42.180

@grawity That file is packed with entries inserted by Spybot - Search & Destroy. A quick search reveals that grooveshark.com is in fact in there. I can't imagine why. Anyways, you've found the problem. – Alain – 2011-10-25T21:35:01.783

Answers

10

As it turned out, Spybot S&D's "Immunize" feature blocks grooveshark.com using the /etc/hosts file.

This has already been reported and confirmed as a false positive, and will be fixed in today's update according to the forum post.

The detection on cloudfront.net will be narrowed down to the subdomain that is used to host malware. Grooveshark.com relation to malware will be reviewed since it was advertised by malware and hides its registration information via Domains by Proxy which is suspicious by default for any commercial site.

Update:
Further analysis of the malware showed that it tried to load a media file at Grooveshark.com which is not present anymore. Therefore Grooveshark will be removed from detection with the next detection update scheduled for Wednesday 2011-10-26.

Yodama

user1686

Posted 2011-10-25T21:10:42.597

Reputation: 283 655

4On a related note: Blocking domains by pointing them to 127.0.0.1 is not particularly good practice, since they are likely to hit a locally-running web server. An invalid host IP address such as 0.0.0.0 would be better. – user1686 – 2011-10-25T21:43:40.583

I agree. Great find on the false positive report, and thanks. – Alain – 2011-10-25T21:50:36.993

But it wasn't redirected to 127.0.0.1... his nslookup result above shows 192.168.1.1, which is very much different. Very odd. – lornix – 2011-10-25T23:27:34.863

4@lornix: First, no, nslookup shows 8.19.240.53 as the result. The 192.168.1.1 address you see is the DNS server's address. Second, as I mentioned in an earlier comment, nslookup does not use /etc/hosts - it is specifically designed to query DNS directly. – user1686 – 2011-10-25T23:35:15.087

Whoops, yes, you're right, my mistake, sorry about that. Evidently my caffeine level is low again. I should have keyed on the fact that 192.168.1.1 is usually a user's router too. {sigh} – lornix – 2011-10-25T23:40:47.467

Asked: 2011-10-25T21:10:42.597

Viewed: 2 709 times

Active: 2012-08-16T01:20:37.373