Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS hijacking


  • Please log in to reply
11 replies to this topic

#1 asc442750

asc442750

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 10 November 2016 - 08:56 AM

Hello,

 

I've been trying to figure out something on our office network for a week now. It began when I noticed that woot.com was very slow to load and saw that it was

hanging up waiting for www.google-analytics.com. 

 

I ran AdwCleaner and Malwarebytes but neither found anything.

 

Further digging revealed that the DNS address for www.google-analytics.com was being redirected to 82.163.143.98 which ends up in Israel going to

bezeqint.net. The TRACERT ends up failing going to it as does ping which returns nothing.

 

The DNS settings on the computers were unchanged as were the hosts files. The computers are on a domain, and they have the server listed as the first DNS provider and our router listed as the second. I was unable to find anything suspicious on the server, so I checked the router.

 

The router is a Linksys WRT1900AC. If I unplug the router and plug it back in, the problem goes away for about 24 hours then returns, which led me to suspect the router. I updated the firmware, but to no effect. 

 

I changed the DNS settings on the router to openDNS and removed the DNS entry to the router, but didn't fix it. 

If I do a ping from the router diagnostics, it works correctly at all times.

 

I still haven't ruled out an issue with our server though as I have one workstation that doesn't really get used so I removed it from the domain and changed the DNS settings to openDNS and that workstation seems unaffected while the rest are.

 

I'm not sure what else to look at from here.

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 jcdang

jcdang

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 12 November 2016 - 12:54 AM

I'm having the same issue.  I also have a WRT1900AC.

 

I ran host -a www.gstatic.com and it was pointing to 82.163.143.98


Edited by jcdang, 12 November 2016 - 12:55 AM.


#3 jcdang

jcdang

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 12 November 2016 - 01:34 AM

I replaced the Linksys Router and everything is back to normal



#4 asc442750

asc442750
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 13 November 2016 - 12:33 PM

You can try replacing the router since it's probably a default settings in the router when it is connected. Or call a local

Since it is a $200 router that is only 6 months old, I was hoping for a way to rule it out without throwing it away. Thank you though.


Edited by Chris Cosgrove, 16 November 2016 - 05:57 PM.
Accidental spam link removed.


#5 asc442750

asc442750
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 15 November 2016 - 09:30 AM

For what it's worth, I tried reseting the router back to factory defaults and the problem has gone away. I still don't know what vulnerability caused it in the first place, so I can't say that it won't return. 



#6 HolyCowz

HolyCowz

  • Members
  • 168 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GMT
  • Local time:03:21 PM

Posted 15 November 2016 - 01:30 PM

Did you turn remote administration off? 



#7 asc442750

asc442750
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 15 November 2016 - 02:29 PM

As far as I can tell, the WRT1900 does not support remote administration except via their smartwifi website which I never setup. I only have the local admin password set.



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,326 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:21 AM

Posted 15 November 2016 - 02:38 PM

Moved to Networking From AII to see if there are suggestions.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:09:21 AM

Posted 16 November 2016 - 09:13 AM

Do you use IPv6 on your network? Some ISP have issues with IPv6 DNS.



#10 HolyCowz

HolyCowz

  • Members
  • 168 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GMT
  • Local time:03:21 PM

Posted 17 November 2016 - 05:05 AM

Have you gone through the router logs to look for clues to what might be happening I presuming it has logs.



#11 asc442750

asc442750
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 17 November 2016 - 07:20 AM

Have you gone through the router logs to look for clues to what might be happening I presuming it has logs.

It does have logs but they aren't enabled by default. I have since turned them on, but since I reset the router back to default the problem hasn't reappeared so I haven't seen anything suspicious in them yet.



#12 HolyCowz

HolyCowz

  • Members
  • 168 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GMT
  • Local time:03:21 PM

Posted 17 November 2016 - 07:23 AM

Good luck :) Hope all is ok now






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users