Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious DNS Entries


  • Please log in to reply
74 replies to this topic

#31 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:08:35 PM

Posted 07 June 2015 - 08:10 AM

www.tcpiputils.com/browse/ip-address/203.94.243.70 and www.tcpiputils.com/browse/ip-address/59.179.243.70 shows they are legit DNS servers of mtnl.
Probably obtained by modem when connecting to your ISP (mtnl)
Our task is to verify that the static DNS servers you add stay intact.
Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

BC AdBot (Login to Remove)

 


#32 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:08:35 PM

Posted 07 June 2015 - 08:13 AM

sorry we're having reply at mean times.
Okay don't worry. Let us see what happens after setting DNS server address manually. :)
Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#33 maheshursekar

maheshursekar
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 07 June 2015 - 08:19 AM

>> Our task is to verify that the static DNS servers you add stay intact.

 

>> Let us see what happens after setting DNS server address manually

 

Ok, just so that I understand you correctly, though they are legit DNS Servers IPs, you still want me to replace them with the Google ones? So, my modem should have:

Primary DNS Server: 8.8.8.8

Secondary DNS Server: 8.8.4.4



#34 maheshursekar

maheshursekar
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 07 June 2015 - 08:26 AM

Might seem naive but if the hacker could hack the MTNL IPs, why would he not be able to do that with the Google IPs? I will do as you say but am asking JFMI



#35 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:08:35 PM

Posted 07 June 2015 - 08:27 AM

You can either copy paste the current entries in your modem or add the DNS server address that Google provides.
Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#36 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:08:35 PM

Posted 07 June 2015 - 08:33 AM

hmmm....
I cannot find a definite answer for you on that case.
But let's hope it isn't the case here... May be your modem is vulnerable.
But if I may ask, does mtnl provide some configuration like username password for you to add to the modem for successfully connecting to them? I have bsnl and it does so... (don't confuse this usrrid with the username and password that you use to see settings page of modem)
Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#37 maheshursekar

maheshursekar
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 07 June 2015 - 08:38 AM

>> But if I may ask, does mtnl provide some configuration like username password for you to add to the modem for successfully connecting to them?

 

Yes, my telephone number is the login and my CA number is the password. I can't change that as far as I know.

 

>> You can either copy paste the current entries in your modem or add the DNS server address that Google provides.

 

I checked the modem settings and I find I will be copy-pasting the new DNS entries is the same place where they are currently displayed ! So, will that make any difference? Especially, if I use the DNS entries of MTNL? 



#38 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:08:35 PM

Posted 07 June 2015 - 08:51 AM

 

Yes, my telephone number is the login and my CA number is the password. I can't change that as far as I know.

Yup, same case here too :)

 

 

I checked the modem settings and I find I will be copy-pasting the new DNS entries is the same place where they are currently displayed ! So, will that make any difference? Especially, if I use the DNS entries of MTNL?

Does it have an option like 'use the following DNS server address' ? If not, then you need to replace existing ones.

See: http://setuprouter.com/router/sterlite/sam300ax/dns.htm

        http://routerconfigurationindia.blogspot.in/2013/02/mtnlbsnl-sterlite-adsl-router.html


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#39 maheshursekar

maheshursekar
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 07 June 2015 - 09:04 AM

There is a drop-down option with two choices:

 

- Use User Discovered DNS Server only

- Use Auto Discovered DNS Server only

 

above the Edit box where the DNS Server entries are to be made. See pic below:

 

https://drive.google.com/file/d/0Bw398McjwPAaZWRGY1NIV01WZGc/view?usp=sharing

 

By default, the first drop-down option is selected and the entries of the DNS Servers are made below.

Can I use the second option so no manual entry can be made? Of course, the hacker could always change this option too! :-(



#40 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:08:35 PM

Posted 07 June 2015 - 09:17 AM

Use User Discovered DNS Server only and add the dns server addresses of your choice. Then power off and on the modem after saving....


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#41 maheshursekar

maheshursekar
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 07 June 2015 - 09:25 AM

Selected "Use User Discovered DNS Server only" option.

Copy-pasted MTNL DNS IPs - 203.94.243.70 & 59.179.243.70 - in Primary & Secondary DNS edit boxes respectively

Saved the page.

Powered off and on my modem.

 

All is well so far.

 

What next?



#42 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:08:35 PM

Posted 07 June 2015 - 09:31 AM

Glad you've made it this far.

Report back if you get the warning again from MBAM or any other issues... :)


Edited by Nikhil_CV, 07 June 2015 - 09:32 AM.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#43 maheshursekar

maheshursekar
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 07 June 2015 - 09:34 AM

Ok, will do. Thanks for your help! Keeping fingers crossed.



#44 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 07 June 2015 - 10:47 AM

Something that I caught but then let go for some reason and that was a mistake.,You have the Sam300 AND the Linksys doing DHCP. You need one or the other but not both. This causes problems.

 

WARNING - Your SAM300 is set to 192.168.1.1 and your Linksys is set to 192.168.0.1 for LAN addresses. If these are not changed at the same time you turn off DHCP., it is likely that you will not be able to surf into which ever one is NOT doing the DHCP. This is changed on the same pages shown below. Router Local IP for the SAM300. Router Address on the Linksys.

 

If you want the Linksys to do DHCP, unplug it for now, plug directly into the SAM300, and do the ipconfig release/renew dance*. Then by this screen shot, under the DHCP section, put a tick by Disabled. Also change the Router Local IP address to 192.168.0.2(this is the new address to get into this device), and click Save. You'll have to enter the new address in to see the results.

 

If you want the SAM300 to do DHCP then by this completely clickable, just like you are looking at your router page lol, tick by Disabled. Also, change the Router Address to 192.168.1.2(this is the new address to get into this device), and Save Settings. You'll have to enter the new address in to see the results. But you will also have to do the ipconfig release/renew dance* on your PC and everything else should be powered off and back on.

 

Personally, I would let the Linksys do the DHCP. Because it is already for your devices. That way there is no need to do the ipconfig release/renew dance* and power off and on devices.

 

More of a FYI, in your current setup making changes to your DNS in the SAM300 will have no effect on the PC until you power the Linksys on and off and then either do the  ipconfig release/renew dance* OR reboot your PC. You make the changes in the SAM300 the DHCP server, the Linksys is a DHCP client of the SAM300, so you need to get it to request new DHCP info(ie power off and on). The Linksys is the DHCP server of your devices, so the changes made in it won't be on your devices until you request new DHCP info(ie ipconfig release/renew dance*) OR reboot them.

 

ipconfig release/ renew dance - open command prompt type ipconfig /release hit Enter then type ipconfig /renew and hit Enter.


Edited by CaveDweller2, 07 June 2015 - 10:52 AM.

Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#45 maheshursekar

maheshursekar
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 09 June 2015 - 07:06 AM

Hi CaveDweller2: Sorry for the delayed reply. Will turn off DHCP on the Sterlite and let the Linksys do it, as suggested by you. However, just one bit of clarification - I'm not very Network savvy, so generally prefer to stick to default options as far as possible - so, could you let me know if this change will make my configuration more secure? i.e. help prevent the attack I have been facing multiple times? Or is it more of a good practice? I'm not averse to one but if something goes wrong, I fear I may not be able to fix it on my own. Thanks!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users