Vpn clients DNS address changes unexpectedly - This should solve issues for now

R

Raaz

DNS address for the vpn client changes to 69.57.146.14
suddenly...

later on findings in the registry this is what happens

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Dat
aBasePath which should point at %Systemroot%\system32
\drivers\etc is now pointing towards %Systemroot%\help

which contains host file which is redirecting to the
following addresses

88.88.88.88 elite
207.44.194.56 www.google.akadns.net
207.44.194.56 www.google.com
207.44.194.56 google.com
207.44.194.56 www.altavista.com
207.44.194.56 altavista.com
207.44.194.56 search.yahoo.com
207.44.194.56 uk.search.yahoo.com
207.44.194.56 ca.search.yahoo.com
207.44.194.56 jp.search.yahoo.com
207.44.194.56 au.search.yahoo.com
207.44.194.56 alltheweb.com
207.44.194.56 web.ask.com
207.44.194.56 ask.com
207.44.194.56 www.ask.com
207.44.194.56 www.teoma.com
207.44.194.56 search.aol.com
207.44.194.56 www.looksmart.com
207.44.194.56 auto.search.msn.com
207.44.194.56 search.msn.com
207.44.194.56 ca.search.msn.com
207.44.194.56 google.com.sg
207.44.194.56 www.hotbot.com
207.44.194.56 hotbot.com
10/01/03 17:03:12 dig 207.44.194.56 @ 10.10.10.1
Dig 56.194.44.207.in-addr.arpa-at-10.10.10.1 ...
Authoritative Answer
Recursive queries supported by this server
Authoritative answer: Host doesn't exist
Query for 56.194.44.207.in-addr.arpa type=255 class=1
194.44.207.in-addr.arpa SOA (Zone of Authority)
Primary NS: ns1.ev1.net
Responsible person: admin-at-ev1.net
serial:1063803342
refresh:3600s (60 minutes)
retry:1800s (30 minutes)
expire:604800s (7 days)
minimum-ttl:7200s (2 hours)

Also check this reg keys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\Interfaces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\Interfaces\{45F95E82-B443-428B-9E B7-
4C65CDCD1000}]

"T2"=dword:3e057410
"LeaseTerminatesTime"=dword:3e067130
"LeaseObtainedTime"=dword:3dfe8830
"T1"=dword:3e027cb0
"NameServer"="69.57.146.14"

Changing the local machine's config in the network control
panel appears to reset the entire

hklm\system\ccs\services\parameters\intefaces key,
removing this "r0x" entry.

block following traffic too
207.44.194.56
69.57.146.14
69.57.146.175

this should help !!! ???

seems to be some kind of worm / backdoor or transparent
program running in background / spy wares ????

any ideas / clues please do reply
thanks
 
R

raaza

hello all i got the answer for this its due to Qhosts-1
trojan
MS0-032 patch is a cure for it.

thanks again
 
W

Will

It's a new virus, dubbed "Trojan.Qhosts".

Discussed here:
CERT:
http://www.cert.org/incident_notes/IN-2003-04.html
Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html
Network Associates:
http://vil.nai.com/vil/content/v_100719.htm

It infects your system, changes your DNS.

It's because of a Windows IE problem whereby clever code in a webpage
can trigger a problem with the Microsoft Html application handler and
execute code on your comptuer.

Symantec has as of yet no fix in norton antivirus for it. I
downloaded the "Live update" for 10/1/2003, and it didn't find it. I
then downloaded the "intelligent update"
(http://securityresponse.symantec.com/avcenter/download/pages/US-SAVCE.html)
which you have to do manually, and so far, the scan has found nothing.
Luckilly, the page on symantec's response says that a fix will be
comming out in next week's live update.

Also posting this to:
microsoft.public.win2000.security
microsoft.public.security.virus
microsoft.public.windowsxp.security_admin
alt.internet.search-engines
microsoft.public.windowsnt.protocol.tcpip

Will Dunn
Systems Administrator
Netmar Web Services







Raaz said:
DNS address for the vpn client changes to 69.57.146.14
suddenly...

later on findings in the registry this is what happens

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Dat
aBasePath which should point at %Systemroot%\system32
\drivers\etc is now pointing towards %Systemroot%\help

which contains host file which is redirecting to the
following addresses

88.88.88.88 elite
207.44.194.56 www.google.akadns.net
207.44.194.56 www.google.com
207.44.194.56 google.com
207.44.194.56 www.altavista.com
207.44.194.56 altavista.com
207.44.194.56 search.yahoo.com
207.44.194.56 uk.search.yahoo.com
207.44.194.56 ca.search.yahoo.com
207.44.194.56 jp.search.yahoo.com
207.44.194.56 au.search.yahoo.com
207.44.194.56 alltheweb.com
207.44.194.56 web.ask.com
207.44.194.56 ask.com
207.44.194.56 www.ask.com
207.44.194.56 www.teoma.com
207.44.194.56 search.aol.com
207.44.194.56 www.looksmart.com
207.44.194.56 auto.search.msn.com
207.44.194.56 search.msn.com
207.44.194.56 ca.search.msn.com
207.44.194.56 google.com.sg
207.44.194.56 www.hotbot.com
207.44.194.56 hotbot.com
10/01/03 17:03:12 dig 207.44.194.56 @ 10.10.10.1
Dig 56.194.44.207.in-addr.arpa-at-10.10.10.1 ...
Authoritative Answer
Recursive queries supported by this server
Authoritative answer: Host doesn't exist
Query for 56.194.44.207.in-addr.arpa type=255 class=1
194.44.207.in-addr.arpa SOA (Zone of Authority)
Primary NS: ns1.ev1.net
Responsible person: admin-at-ev1.net
serial:1063803342
refresh:3600s (60 minutes)
retry:1800s (30 minutes)
expire:604800s (7 days)
minimum-ttl:7200s (2 hours)

Also check this reg keys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\Interfaces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\Interfaces\{45F95E82-B443-428B-9E B7-
4C65CDCD1000}]

"T2"=dword:3e057410
"LeaseTerminatesTime"=dword:3e067130
"LeaseObtainedTime"=dword:3dfe8830
"T1"=dword:3e027cb0
"NameServer"="69.57.146.14"

Changing the local machine's config in the network control
panel appears to reset the entire

hklm\system\ccs\services\parameters\intefaces key,
removing this "r0x" entry.

block following traffic too
207.44.194.56
69.57.146.14
69.57.146.175

this should help !!! ???

seems to be some kind of worm / backdoor or transparent
program running in background / spy wares ????

any ideas / clues please do reply
thanks
Click to expand...
 
Top