C
clint
I'm having a strange problem It started on the October 1.
When I came how from work, my internet wouldn't work but
my local home lan worked fine. So I thought maybe I had a
virus or got hacked. I ran fport (a security tool by
foundstone.com) and noticed something strange, a program
running on UDP port 2888 (even though my net wasn't
working).
I pulled up taskmgr and noticed 2 unfamiliar programs that
I usually don't see running mshta.exe and wisptis.exe. I
was thinking maybe somehow I got an mshta exploit? I'm on
Windows 2000 Pro. I have all patches and services packs, I
have the lastest virus sigs from Norton (Symantec Corp
AV), I have Ad-Aware, and a pop up blocker too. I ran a
virus scan and it found nothing. I hadn't downloaded any
program, I don't use or even have Outlook installed and I
don't download attachments unless someone tells me they
are sending me one. Plus I haven't downloaded any
attachments in a long time.
Anyway I did end task on those two exe's. I checked the
usual virus prone registry areas for naught keys but
nothing was there. Ran Ad-Aware and it didn't find any spy
crap even. I have noticed that my pop up blocker doesn't
seem to be working as well as it was before.
By this time I was really starting to wonder what the hell
is going on? I checked my event logs and I noticed at
10:54PM Central (Oct 1) that there was a DNSCache error.
So I looked my tcp/ip config and my dns servers were set
to something they shouldn't be! Usually it is on
automatically obtain. I didn't change it and no one had
access to my computer. The DNS addresses were:
69.57.146.14
69.57.147.175
So once I changed those to automatically obtain, my
internet worked again. Still www.google.com wouldn't work.
I went to bed.
Today after school and work I started in on the problem
again. I did a ping of www.google.com:
Pinging www.google.com [207.44.194.56] with 32 bytes of
data:Reply from 207.44.194.56: bytes=32 time=50ms
TTL=49Reply from 207.44.194.56: bytes=32 time=50ms
TTL=49Reply from 207.44.194.56: bytes=32 time=50ms
TTL=49Reply from 207.44.194.56: bytes=32 time=50ms TTL=49
The ip didn't work either so I did nslookup on
www.google.com:
Server: blizzard.--edit--.net
Address: --edit--
Name: www.google.akadns.net
Address: 216.239.41.99
Aliases: www.google.com
That ip does work for google. So now I was confused. I did
ipconfig /flushdns and stopped and started the DNS
Service. Then I did ipconfig /displaydns and wow, I had
tons of entries! It filled a .txt file with 66kb worth of
entries when I piped it out. Now the weird part, they are
all search engines! There are many different search
engines (google included) which have this in common from
my /displaydns output:
Record Type . . . . . : 1
Time To Live . . . . : 31530094
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
207.44.194.56
There are tons of entries:
www.google.at
google.com.sg
search.yupimsn.com
search.ninemsn.com.au
search.msn.com.tw
go.google.com
www.google.nl
www.hotbot.com
search.msn.co.in
www.google.fr
search.msn.ch
search.msn.de
fr.ca.search.msn.com
auto.search.msn.com
google.co.il
search.yahoo.co.jp
www.lycos.com
web.ask.com
search.msn.it
google.pl
search.msn.fi
search.msn.com.sg
www.google.se
search.msn.dk
google.com
www.google.uk
search.msn.be
google.com.hk
www.google.com.ru
search.msn.fr
www.ask.com
altavista.com
www.google.com.tw
www.google.pl
search.latam.yupimsn.com
search.msn.com.br
search.msn.es
search.msn.co.za
www.google.com.tr
alltheweb.com
88.88.88.88.in-addr.arpa
google.com.mx
search.msn.at
www.google.pt
search.msn.no
56.194.44.207.in-addr.arpa (105 entries of this!)
www.teoma.com
search.t1msn.com.mx
www.google.com
search.msn.nl
search.lycos.com
www.google.com.sg
search.msn.com.hk
search.msn.com.my
uk.search.msn.com
www.google.com.au
search.fr.msn.ch
uk.search.yahoo.com
www.looksmart.com
hotbot.com
www.google.com.gr
www.google.co.nz
www.google.com.hk
www.google.co.jp
www.google.co.kr
de.search.yahoo.com
www.altavista.com
search.fr.msn.be
www.lycos.co.jp
www.google.com.mx
ca.search.yahoo.com
ask.com
www.lycos.ca
search.yahoo.com
www.lycos.jp
google.ca
ca.search.msn.com
google.it
search.msn.com
google.fi
google.dk
www.google.co.il
google.be
www.lycos.de
search.xtramsn.co.nz
elite
www.google.ca
search.msn.co.jp
search.msn.co.kr
www.google.it
google.de
www.google.akadns.net
search.aol.com
www.google.fi
google.com.ru
www.google.jp
jp.search.yahoo.com
www.google.dk
search.msn.se
google.co.nz
www.google.be
google.ie
google.co.kr
google.at
www.google.co.uk
www.google.ch
au.search.yahoo.com
www.google.de
www.google.co.th
google.nl
www.google.ie
google.fr
In total there were 220 entries with the same record info!
105 of the entries are 5 6.194.44.207.in-addr.arpa too.
207.44.196.56 resolves to paola.hostingminds.com. The
domain hostingminds.com is just a holding place page and
the paola subdomain is a plesk server admin holding place
page.
69.57.146.14 - doesn't resolve
69.57.147.175 - doesn't resolve
207.44.196.56 - paola.hostingminds.com
All the addresses trace back to a netblock owned by
Everyone's Internet (I used
http://visualware.visualroute.com to trace).
My dns cache won't get rid of those addresses. My DNS got
hijacked/hacked somehow it looks. Not sure how since I'm
very security conscious, in fact this is the first time
anything has ever happened to my computer. Thanks for
reading all this and I'm looking forward to comments.
When I came how from work, my internet wouldn't work but
my local home lan worked fine. So I thought maybe I had a
virus or got hacked. I ran fport (a security tool by
foundstone.com) and noticed something strange, a program
running on UDP port 2888 (even though my net wasn't
working).
I pulled up taskmgr and noticed 2 unfamiliar programs that
I usually don't see running mshta.exe and wisptis.exe. I
was thinking maybe somehow I got an mshta exploit? I'm on
Windows 2000 Pro. I have all patches and services packs, I
have the lastest virus sigs from Norton (Symantec Corp
AV), I have Ad-Aware, and a pop up blocker too. I ran a
virus scan and it found nothing. I hadn't downloaded any
program, I don't use or even have Outlook installed and I
don't download attachments unless someone tells me they
are sending me one. Plus I haven't downloaded any
attachments in a long time.
Anyway I did end task on those two exe's. I checked the
usual virus prone registry areas for naught keys but
nothing was there. Ran Ad-Aware and it didn't find any spy
crap even. I have noticed that my pop up blocker doesn't
seem to be working as well as it was before.
By this time I was really starting to wonder what the hell
is going on? I checked my event logs and I noticed at
10:54PM Central (Oct 1) that there was a DNSCache error.
So I looked my tcp/ip config and my dns servers were set
to something they shouldn't be! Usually it is on
automatically obtain. I didn't change it and no one had
access to my computer. The DNS addresses were:
69.57.146.14
69.57.147.175
So once I changed those to automatically obtain, my
internet worked again. Still www.google.com wouldn't work.
I went to bed.
Today after school and work I started in on the problem
again. I did a ping of www.google.com:
Pinging www.google.com [207.44.194.56] with 32 bytes of
data:Reply from 207.44.194.56: bytes=32 time=50ms
TTL=49Reply from 207.44.194.56: bytes=32 time=50ms
TTL=49Reply from 207.44.194.56: bytes=32 time=50ms
TTL=49Reply from 207.44.194.56: bytes=32 time=50ms TTL=49
The ip didn't work either so I did nslookup on
www.google.com:
Server: blizzard.--edit--.net
Address: --edit--
Name: www.google.akadns.net
Address: 216.239.41.99
Aliases: www.google.com
That ip does work for google. So now I was confused. I did
ipconfig /flushdns and stopped and started the DNS
Service. Then I did ipconfig /displaydns and wow, I had
tons of entries! It filled a .txt file with 66kb worth of
entries when I piped it out. Now the weird part, they are
all search engines! There are many different search
engines (google included) which have this in common from
my /displaydns output:
Record Type . . . . . : 1
Time To Live . . . . : 31530094
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . :
207.44.194.56
There are tons of entries:
www.google.at
google.com.sg
search.yupimsn.com
search.ninemsn.com.au
search.msn.com.tw
go.google.com
www.google.nl
www.hotbot.com
search.msn.co.in
www.google.fr
search.msn.ch
search.msn.de
fr.ca.search.msn.com
auto.search.msn.com
google.co.il
search.yahoo.co.jp
www.lycos.com
web.ask.com
search.msn.it
google.pl
search.msn.fi
search.msn.com.sg
www.google.se
search.msn.dk
google.com
www.google.uk
search.msn.be
google.com.hk
www.google.com.ru
search.msn.fr
www.ask.com
altavista.com
www.google.com.tw
www.google.pl
search.latam.yupimsn.com
search.msn.com.br
search.msn.es
search.msn.co.za
www.google.com.tr
alltheweb.com
88.88.88.88.in-addr.arpa
google.com.mx
search.msn.at
www.google.pt
search.msn.no
56.194.44.207.in-addr.arpa (105 entries of this!)
www.teoma.com
search.t1msn.com.mx
www.google.com
search.msn.nl
search.lycos.com
www.google.com.sg
search.msn.com.hk
search.msn.com.my
uk.search.msn.com
www.google.com.au
search.fr.msn.ch
uk.search.yahoo.com
www.looksmart.com
hotbot.com
www.google.com.gr
www.google.co.nz
www.google.com.hk
www.google.co.jp
www.google.co.kr
de.search.yahoo.com
www.altavista.com
search.fr.msn.be
www.lycos.co.jp
www.google.com.mx
ca.search.yahoo.com
ask.com
www.lycos.ca
search.yahoo.com
www.lycos.jp
google.ca
ca.search.msn.com
google.it
search.msn.com
google.fi
google.dk
www.google.co.il
google.be
www.lycos.de
search.xtramsn.co.nz
elite
www.google.ca
search.msn.co.jp
search.msn.co.kr
www.google.it
google.de
www.google.akadns.net
search.aol.com
www.google.fi
google.com.ru
www.google.jp
jp.search.yahoo.com
www.google.dk
search.msn.se
google.co.nz
www.google.be
google.ie
google.co.kr
google.at
www.google.co.uk
www.google.ch
au.search.yahoo.com
www.google.de
www.google.co.th
google.nl
www.google.ie
google.fr
In total there were 220 entries with the same record info!
105 of the entries are 5 6.194.44.207.in-addr.arpa too.
207.44.196.56 resolves to paola.hostingminds.com. The
domain hostingminds.com is just a holding place page and
the paola subdomain is a plesk server admin holding place
page.
69.57.146.14 - doesn't resolve
69.57.147.175 - doesn't resolve
207.44.196.56 - paola.hostingminds.com
All the addresses trace back to a netblock owned by
Everyone's Internet (I used
http://visualware.visualroute.com to trace).
My dns cache won't get rid of those addresses. My DNS got
hijacked/hacked somehow it looks. Not sure how since I'm
very security conscious, in fact this is the first time
anything has ever happened to my computer. Thanks for
reading all this and I'm looking forward to comments.