Blocked Links - Websites Won't Open

[btovar071]

One of our customers is having some issues accessing various websites, and we’re having trouble isolating the issue. I’ve included some details below, including some of the steps we’ve tried so far, and some screenshots. I’d sincerely appreciate some help from the community!

 

Specs:

·   Dell PowerEdge R440 rackmount server running as a domain controller:

o   Windows Server 2019 Essentials x64, Version 1809, OS Build 17763.5936

o   SQL Server 2019 Essentials installed and running

o   Threatdown Endpoint Detection and Response on Server

o   Running DHCP

o   Running DNS

o   Running ADDS

·   Network Equipment:

o   Ubiquiti Dream Machine Pro, UniFi OS version 4.0.21, UniFi Network version 8.6.9, not running DHCP

o   Ubiquiti 24-port PoE Switch (USW-24-POE)

·   Workstation(s)

o   Windows 10 Pro x64, with 22H2 installed, Build 19045

o   Threatdown Endpoint Detection and Response on each workstation

·   Network Type: Domain

·   Browsers:

o   Chrome (latest version)

o   Edge (latest version)

 

Two related issues:

1. Links in Emails:

a. When you click on a link in several different emails (just a select few from various senders, NOT every email), it opens up a browser with the following error message (see screenshot)

2. Websites in Browsers:

a. When you navigate to a website (some require that you log in, some do not), it returns the following error message (see screenshot)

b. When you click on a Sponsored search result in Google, it returns the following error message (see screenshot)

 

What we’ve done regarding both issues above:

1. Reconfigured Threatdown Endpoint agent running on that computer

2. Removed Threatdown Endpoint agent from computer

3. Disabled Malwarebytes Browser Guard and Adblock Plus extensions along with any other browser extensions that could be causing an issue.

4. Temporarily disabled all security settings in Chrome

5. Temporarily turned off UAC

6. Removed said browser extensions

7. Restarting computer several times

8. Ran each of the following commands:

a. DISM /online /cleanup-image /scanhealth

b. sfc /scannow

c.  netsh winsock reset

d. net stop winmgmt then press Y, then press Enter,

e. winmgmt /resetrepository press Enter, Restart PC

f.  netsh advfirewall reset

g. ipconfig /flushdns > Restart PC

9. Confirmed IP is dynamically assigned.

10.  Left DNS 1: 192.168.x.x (our server), but changed DNS 2 from 8.8.8.8 to 1.1.1.1, flushed DNS, tried again

11.  Cleared SSl within Internet Options in Control Panel

12.  Checked Outlook settings to make sure the link options are set to open with default browser

13.  Used Whois Lookup to see if the links are bad players, they look legit

 

 

 

[Dutch_Master]

Have you looked into TTL (time-to-life) increases? There's a tool that can trace the hops between source and target of a web link, including response times, but forgot the name.

 

Do any of the issues mentioned occur in a Linux and/or BSD environment?

Have you tried FireFox as browser? Or, on a Linux system, the text-based links2 browser? ( <- link!)

[Kilrah]

All of these look like tracking / ad /scam / phishing domains that would typically blocked by things like pi-hole and potentially some internet security services.