Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus?


  • Please log in to reply
30 replies to this topic

#1 fkmaster

fkmaster

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 08 June 2010 - 09:21 AM

Hi, sorry for my bad English, I am just learning the language.

I have a question about a suspicious net activity. I am using a wired PC and a wireless notebook to reach internet through a DLink router and a cable modem. Both machines are running XP SP3.
The router gives the IP addresses through DHCP from a predefined domain: 192.168.0.100-192.168.0.101
Few days before I recognized 2 new LAN IPs (192.168.0.102-103) on the router's DHCP client list with absolutely fake MAC addresses.
The hostnames were my notebook's name, so I ran a 'netlist-o' command from command line and saw 2 unwanted processes, which IPs are belonging to google.
I refreshed my AV, firewall and spyware softwares, but even the Combofix didn't find anything interesting (for me).

I am very curious, what are these connections, why are they running and why do the need an extra LAN IP from my router.

Thanks for the help!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:23 AM

Posted 08 June 2010 - 09:25 PM

Is there any particular reason, you titled your topic "Redirect virus?"?
Do you experience any redirection issues?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 fkmaster

fkmaster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 09 June 2010 - 04:00 AM

No, I do not. Nowadays are pretty much news about Google redirection-virus, so I guess it's a kind of tricks. And the new IPs in my router with fake MAC addresses supposed to be a virus-like thing.
The simpliest way is to use fix IP or reduce the IP domain to 2 address, and it works of course, but I want to know what is happening in the back.

#4 MendMyComputer

MendMyComputer

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 09 June 2010 - 05:44 AM

If you are using an open network it could be that someone has connected to your wireless and used your internet for a short while... This would explain the 2 new Mac adresses that have appeared.

Also, if you are using WEP - this can be cracked, so i advise WPA2 encyption on your wireless connection.

#5 fkmaster

fkmaster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 09 June 2010 - 06:15 AM

I thought about that too, but tha MAC addresses were totally fake (30-40 character), and I am using MAC filtering too. Unfortunately I have to use WEP, because my old notebook does not know WPA. After I recognized the wrong DHCP client list, I immediately changed my WEP-key, but the problem has not solved.
And it is a hidden connection, my SSID is not boradcasted.

And some news:
When I am using the notebook with Linux, the problem is disappearing- there is nothing wrong in the DHCP client list.

Edited by fkmaster, 09 June 2010 - 06:26 AM.


#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:23 PM

Posted 09 June 2010 - 01:38 PM

Can you post some of the MAC address?

If you are running DHCP it can get any IP address from your allocated range which in your case can be 192.168.0.0/16 or 192.168.0.0/24 meaning 192.168.0.1-255 unless specified in your DHCP Pool of addresses in your router.

IPv6 which is new IP scheme to give is 128bit IP address instead of the 32 bit 4 8 bit octects we are used to seeing can be in the form of a mac address. Can you post that as well?

What does an IPv6 address look like?

Edited by cryptodan, 09 June 2010 - 01:40 PM.


#7 fkmaster

fkmaster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 09 June 2010 - 02:15 PM

Yes, here is the DHCP client list, the 192.168.0.100-101 addresses are locked to my machine's MAC.

Host Name IP Address MAC Address Expired Time

notebook1 192.168.0.103 52415320000EA622ACB4000001000000 Jun/09/2010 16:39:31
notebook1 192.168.0.102 52415320000EA622ACB4000000000000 Jun/09/2010 16:39:31

The fake MAC addresses are in hex too, like the normal ones, but aren't look like 'ff:ff:ff:ff:ff:ff' 48 byte format as usual.

Edited by fkmaster, 09 June 2010 - 02:18 PM.


#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:23 PM

Posted 09 June 2010 - 02:31 PM

Yes, here is the DHCP client list, the 192.168.0.100-101 addresses are locked to my machine's MAC.

Host Name IP Address MAC Address Expired Time

notebook1 192.168.0.103 52415320000EA622ACB4000001000000 Jun/09/2010 16:39:31
notebook1 192.168.0.102 52415320000EA622ACB4000000000000 Jun/09/2010 16:39:31

The fake MAC addresses are in hex too, like the normal ones, but aren't look like 'ff:ff:ff:ff:ff:ff' 48 byte format as usual.


You may want to double check your DHCP Pool it can range from 192.168.0.100 to 192.168.0.255 depending on the router.

#9 fkmaster

fkmaster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 09 June 2010 - 02:56 PM

About the DHCP addressing there is no problem. The router has the 192.168.0.1 address and gives the addresses from the 192.168.0.100-192.168.0.255 pool.
I've just locked the first 2 IP address to my 2 machines's MAC (192.168.0.100-101, that's why the client list doesn't contain it), and the next 2 available addresses are the mentioned above.

I reduced the DHCP lease time to 90 minutes, so I realized this problem is just with XP, but not Linux. So when my wireless notebook attach to the router with XP, usually comes up these new IPs in the router-config, but with Linux there is no problem. That's why I am afraid of some infection.

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:23 PM

Posted 09 June 2010 - 03:32 PM

The only way to assign your IP address to your MAC address is via static IP assignment via Windows XP IP Settings.

Can you open up a command prompt in windows and provide the following information via ipconfig /all

then in linux run this command as root

idconfig

Post the results.

#11 fkmaster

fkmaster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 09 June 2010 - 04:26 PM

Sorry for the inconvenience, but my XP is Hungarian.

Windows IP konfigur�ci�

�llom�sn�v. . . . . . . . . . . . . . : notebook1
Els�dleges DNS-ut�tag . . . . . . . . : dbk-brikett.hu
Csom�pontt�pus . . . . . . . . . . . : Sz�r�s
IP �tv�laszt�s enged�lyezve . . . . . : Igen
WINS-proxy enged�lyezve . . . . . . . : Igen
DNS-ut�tag keres�si list�ja . . . . . : dbk-brikett.hu

Ethernet-adapter Vezet�k n�lk�li h�l�zati kapcsolat:

Kapcsolatspecifikus DNS-ut�tag. . . . :
Le�r�s. . . . . . . . . . . . . . . . : ASUS 802.11g h�l�zati adapter
Fizikai c�m . . . . . . . . . . . . . : 00-0E-A6-22-AC-B4
DHCP enged�lyezve . . . . . . . . . . : Igen
Automatikus konfigur�ci� enged�lyezve : Igen
IP-c�m. . . . . . . . . . . . . . . . : 192.168.0.101
Alh�l�zati maszk. . . . . . . . . . . : 255.255.255.0
Alap�rtelmezett �tj�r�. . . . . . . . : 192.168.0.1
DHCP kiszolg�l� . . . . . . . . . . . : 192.168.0.1
DNS-kiszolg�l�k . . . . . . . . . . . : 192.168.0.1
B�rleti jog kezdete . . . . . . . . . : 2010. j�nius 9. 22:24:47
B�rleti jog v�ge. . . . . . . . . . . : 2010. j�nius 10. 1:24:47

Ethernet-adapter Helyi kapcsolat:

Adathordoz� �llapota. . . . . . . . . : Adathordoz� lev�lasztva
Le�r�s. . . . . . . . . . . . . . . . : 3Com Gigabit LOM (3C940)
Fizikai c�m . . . . . . . . . . . . . : 00-0E-A6-13-7E-53


fkmaster@fkmaster-nb:~$ ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:0e:a6:13:7e:53

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

Interrupt:18



lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:952 errors:0 dropped:0 overruns:0 frame:0

TX packets:952 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:194189 (194.1 KB) TX bytes:194189 (194.1 KB)



wlan0 Link encap:Ethernet HWaddr 00:0e:a6:22:ac:b4

inet addr:192.168.0.101 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20e:a6ff:fe22:acb4/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:515 errors:0 dropped:0 overruns:0 frame:0

TX packets:359 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:305412 (305.4 KB) TX bytes:59915 (59.9 KB)

#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:23 PM

Posted 09 June 2010 - 05:30 PM

Can you show your DHCP Client table that is displayed in your router?

#13 fkmaster

fkmaster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 10 June 2010 - 02:33 AM

I did it above, but here is the whole:

DHCP Reservations List :
Enabled Computer Name IP Address MAC Address
fkmaster 192.168.0.100 90-e6-ba-1e-e6-51
fkmaster-nb 192.168.0.101 00-0e-a6-22-ac-b8

Dynamic DHCP Client List :
Host Name IP Address MAC Address Expired Time

notebook1 192.168.0.103 52415320000EA622ACB4000001000000 Jun/09/2010 16:39:31
notebook1 192.168.0.102 52415320000EA622ACB4000000000000 Jun/09/2010 16:39:31

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:23 PM

Posted 10 June 2010 - 08:37 AM

Can you take a screenshot of the page?

#15 fkmaster

fkmaster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 10 June 2010 - 09:41 AM

I've uploaded, because I don't know how could I paste it.

Attached Files

  • Attached File  dhcp.jpg   86.53KB   8 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users