Page 1 of 2 12 LastLast
Results 1 to 20 of 30

Thread: Weird DNS lookup results

  1. #1
    Elite Member ghost's Avatar
    Join Date
    Oct 1999
    Location
    Virginia
    Posts
    11,599

    Weird DNS lookup results

    Check this out, I entered the IP (INTO NETLAB) of what IE is attempting to connect to when I try to go to google.com and here's the result:
    Code:
    Host name: www.google.akadns.net
    IP address: 207.44.220.30
    Alias(es): www.google.com
    	   google.com
    	   www.altavista.com
    	   altavista.com
    	   search.yahoo.com
    	   uk.search.yahoo.com
    	   ca.search.yahoo.com
    	   jp.search.yahoo.com
    	   au.search.yahoo.com
    	   de.search.yahoo.com
    	   search.yahoo.co.jp
    	   www.lycos.de
    	   www.lycos.ca
    	   www.lycos.jp
    	   www.lycos.co.jp
    	   alltheweb.com
    	   web.ask.com
    	   ask.com
    	   www.ask.com
    	   www.teoma.com
    	   search.aol.com
    	   www.looksmart.com
    	   auto.search.msn.com
    	   search.msn.com
    	   ca.search.msn.com
    	   fr.ca.search.msn.com
    WTF is this?

  2. #2
    Uninsured for your health
    Join Date
    Jan 2001
    Location
    Stockton, CA
    Posts
    10,032
    what are sites that use the Google search technology? Alex

    My guess would be those sites google for their search engine...
    Quote Originally Posted by Three Rivers Designs
    America! Love it or give it back!

  3. #3
    Elite Member ghost's Avatar
    Join Date
    Oct 1999
    Location
    Virginia
    Posts
    11,599
    I checked my hosts file and those were listed. Deleted them.

    I updated AdAware and ran. Deleted some things.

    I updated SpyBot and ran. Deleted some things.

    Still couldn't get to http://www.google.com.

    <reboot>

    Everything is okay now.

    SpyBot found some things that AdAware didn't. This is the first time that AdAware was insufficient fixing the problem.

  4. #4
    Between Light & Shadows Unholy's Avatar
    Join Date
    Mar 2001
    Location
    Somewhere Over There
    Posts
    2,819
    I think you might have gotten the DNS worm check symantec
    "I was once banned from a bookstore for moving all the bibles to fiction"

  5. #5
    Elite Member ghost's Avatar
    Join Date
    Oct 1999
    Location
    Virginia
    Posts
    11,599
    Originally posted by Unholy
    I think you might have gotten the DNS worm check symantec
    Couple of things to think that I'm not...

    1. I have my CA AV prog set to "real time," so it intercepts viruses/trojans in action. I have it automatically d/l and install updates DAILY and run daily as well.

    2. I have Script Defender installed on my computer so that files with the following extensions: .VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB

    MUST have my permission to do anything to my computer prior to their execution.

    Thanks for posting about the DNS worm though, it was interesting reading.

  6. #6
    Certified SG Addict Indy's Avatar
    Join Date
    Feb 2000
    Location
    Amarillo, TX
    Posts
    25,529
    Blog Entries
    24
    Originally posted by ghost
    Couple of things to think that I'm not...

    1. I have my CA AV prog set to "real time," so it intercepts viruses/trojans in action. I have it automatically d/l and install updates DAILY and run daily as well.

    2. I have Script Defender installed on my computer so that files with the following extensions: .VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB

    MUST have my permission to do anything to my computer prior to their execution.

    Thanks for posting about the DNS worm though, it was interesting reading.
    When I was having problems getting into google, I was getting the same indications that you were. Found the hosts file that had those references as well. I also had found that an ip address had been inserted manually into the dns settings of my nic.

    Bounced everything off of the information regarding the DNS worm, and nothing showed up on my machine. Also, the hosts file that you had found that had all the entries, was that in the C:\windows\help directory?
    ------
    “The most beautiful thing we can experience in life is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: for his eyes are closed.” - Albert Einstein

  7. #7
    Certified SG Addict Indy's Avatar
    Join Date
    Feb 2000
    Location
    Amarillo, TX
    Posts
    25,529
    Blog Entries
    24
    Originally posted by Unholy
    I think you might have gotten the DNS worm check symantec
    I found the temp directory that this worm creates on my machine, but no evidence of the files that would have been associated with it, and I can't find any evidence that my virus scanner cleaned anything as well...

    Time to go check the kids computers as well...
    ------
    “The most beautiful thing we can experience in life is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: for his eyes are closed.” - Albert Einstein

  8. #8
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,965
    There's been a couple of odd things happening regarding DNS over the past week. Many peeps I know who use different ISP's.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  9. #9
    Certified SG Addict Indy's Avatar
    Join Date
    Feb 2000
    Location
    Amarillo, TX
    Posts
    25,529
    Blog Entries
    24
    Originally posted by YeOldeStonecat
    There's been a couple of odd things happening regarding DNS over the past week. Many peeps I know who use different ISP's.
    I wonder if it could be a variation of the Trojan.Qhosts worm...

    It's almost like I got an aborted version of the worm...couldn't find any of the registry entries that symantec describes, nor any of the associated files, but I did find the temp directory, as well as the altered hosts file in C:\windows\help and a manually entered dns entry in my nic properties...

    No evidence of a viral removal from AVG...
    No evidence from Spybot...
    No evidence from Ad-aware...

    Just weird...
    Last edited by Indy; 10-04-03 at 11:25 PM.
    ------
    “The most beautiful thing we can experience in life is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: for his eyes are closed.” - Albert Einstein

  10. #10
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,965
    Originally posted by Tony B
    I wonder if it could be a variation of the Trojan.Qhosts worm...

    Could be. A few days ago, I posted here if anyone had problems surfing the night before. It was like another mass coordinated DDOS attack was going on against root DNS servers. I could ping by IP, but could not ping, or even resolve, by name. I couldn't browse, but I could still chat via ICQ, and play online games. That same night, 3x buddies of mine, each using a different ISP, had the same thing going on . We were able to chat on ICQ, but not websurf.

    Yet...next day...everything was fine...and I'm still fine. If I had that worm, I'd still be affected...I'd imagine.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  11. #11
    Elite Member ghost's Avatar
    Join Date
    Oct 1999
    Location
    Virginia
    Posts
    11,599
    Originally posted by Tony B
    When I was having problems getting into google, I was getting the same indications that you were. Found the hosts file that had those references as well. I also had found that an ip address had been inserted manually into the dns settings of my nic.

    Bounced everything off of the information regarding the DNS worm, and nothing showed up on my machine. Also, the hosts file that you had found that had all the entries, was that in the C:\windows\help directory?
    Yep, in that same directory.

    Checked my NIC, no entries & all fixed now. No virus/trojan.

  12. #12
    Certified SG Addict Indy's Avatar
    Join Date
    Feb 2000
    Location
    Amarillo, TX
    Posts
    25,529
    Blog Entries
    24
    Originally posted by ghost
    Yep, in that same directory.

    Checked my NIC, no entries & all fixed now. No virus/trojan.
    Weird...none of this is making any sense...
    ------
    “The most beautiful thing we can experience in life is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: for his eyes are closed.” - Albert Einstein

  13. #13
    Senior Member Sid's Avatar
    Join Date
    Sep 2000
    Location
    Hell's Kitchen
    Posts
    5,174

  14. #14
    Certified SG Addict Indy's Avatar
    Join Date
    Feb 2000
    Location
    Amarillo, TX
    Posts
    25,529
    Blog Entries
    24
    Looks like we're not the only ones having problems...

    http://forums.speedguide.net/showthr...68#post1136868
    ------
    “The most beautiful thing we can experience in life is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: for his eyes are closed.” - Albert Einstein

  15. #15
    Certified SG Addict Indy's Avatar
    Join Date
    Feb 2000
    Location
    Amarillo, TX
    Posts
    25,529
    Blog Entries
    24
    Originally posted by Tony B
    Looks like we're not the only ones having problems...

    http://forums.speedguide.net/showthr...68#post1136868
    and

    http://www.dslreports.com/forum/rema...cast~mode=flat
    ------
    “The most beautiful thing we can experience in life is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: for his eyes are closed.” - Albert Einstein

  16. #16
    Certified SG Addict Indy's Avatar
    Join Date
    Feb 2000
    Location
    Amarillo, TX
    Posts
    25,529
    Blog Entries
    24
    Still have the old hosts file (just backed it up as opposed to deleting it)...here is what it looks like:

    Code:
    88.88.88.88 elite 
    207.44.220.30 www.google.akadns.net 
    207.44.220.30 www.google.com 
    207.44.220.30 google.com 
    207.44.220.30 www.altavista.com 
    207.44.220.30 altavista.com 
    207.44.220.30 search.yahoo.com 
    207.44.220.30 uk.search.yahoo.com 
    207.44.220.30 ca.search.yahoo.com 
    207.44.220.30 jp.search.yahoo.com 
    207.44.220.30 au.search.yahoo.com 
    207.44.220.30 de.search.yahoo.com 
    207.44.220.30 search.yahoo.co.jp 
    207.44.220.30 www.lycos.de 
    207.44.220.30 www.lycos.ca 
    207.44.220.30 www.lycos.jp 
    207.44.220.30 www.lycos.co.jp 
    207.44.220.30 alltheweb.com 
    207.44.220.30 web.ask.com 
    207.44.220.30 ask.com 
    207.44.220.30 www.ask.com 
    207.44.220.30 www.teoma.com 
    207.44.220.30 search.aol.com 
    207.44.220.30 www.looksmart.com 
    207.44.220.30 auto.search.msn.com 
    207.44.220.30 search.msn.com 
    207.44.220.30 ca.search.msn.com 
    207.44.220.30 fr.ca.search.msn.com 
    207.44.220.30 search.fr.msn.be 
    207.44.220.30 search.fr.msn.ch 
    207.44.220.30 search.latam.yupimsn.com 
    207.44.220.30 search.msn.at 
    207.44.220.30 search.msn.be 
    207.44.220.30 search.msn.ch 
    207.44.220.30 search.msn.co.in 
    207.44.220.30 search.msn.co.jp 
    207.44.220.30 search.msn.co.kr 
    207.44.220.30 search.msn.com.br 
    207.44.220.30 search.msn.com.hk 
    207.44.220.30 search.msn.com.my 
    207.44.220.30 search.msn.com.sg 
    207.44.220.30 search.msn.com.tw 
    207.44.220.30 search.msn.co.za 
    207.44.220.30 search.msn.de 
    207.44.220.30 search.msn.dk 
    207.44.220.30 search.msn.es 
    207.44.220.30 search.msn.fi 
    207.44.220.30 search.msn.fr 
    207.44.220.30 search.msn.it 
    207.44.220.30 search.msn.nl 
    207.44.220.30 search.msn.no 
    207.44.220.30 search.msn.se 
    207.44.220.30 search.ninemsn.com.au 
    207.44.220.30 search.t1msn.com.mx 
    207.44.220.30 search.xtramsn.co.nz 
    207.44.220.30 search.yupimsn.com 
    207.44.220.30 uk.search.msn.com 
    207.44.220.30 search.lycos.com 
    207.44.220.30 www.lycos.com 
    207.44.220.30 www.google.ca 
    207.44.220.30 google.ca 
    207.44.220.30 www.google.uk 
    207.44.220.30 www.google.co.uk 
    207.44.220.30 www.google.com.au 
    207.44.220.30 www.google.co.jp 
    207.44.220.30 www.google.jp 
    207.44.220.30 www.google.at 
    207.44.220.30 www.google.be 
    207.44.220.30 www.google.ch 
    207.44.220.30 www.google.de 
    207.44.220.30 www.google.se 
    207.44.220.30 www.google.dk 
    207.44.220.30 www.google.fi 
    207.44.220.30 www.google.fr 
    207.44.220.30 www.google.com.gr 
    207.44.220.30 www.google.com.hk 
    207.44.220.30 www.google.ie 
    207.44.220.30 www.google.co.il 
    207.44.220.30 www.google.it 
    207.44.220.30 www.google.co.kr 
    207.44.220.30 www.google.com.mx 
    207.44.220.30 www.google.nl 
    207.44.220.30 www.google.co.nz 
    207.44.220.30 www.google.pl 
    207.44.220.30 www.google.pt 
    207.44.220.30 www.google.com.ru 
    207.44.220.30 www.google.com.sg 
    207.44.220.30 www.google.co.th 
    207.44.220.30 www.google.com.tr 
    207.44.220.30 www.google.com.tw 
    207.44.220.30 go.google.com 
    207.44.220.30 google.at 
    207.44.220.30 google.be 
    207.44.220.30 google.de 
    207.44.220.30 google.dk 
    207.44.220.30 google.fi 
    207.44.220.30 google.fr 
    207.44.220.30 google.com.hk 
    207.44.220.30 google.ie 
    207.44.220.30 google.co.il 
    207.44.220.30 google.it 
    207.44.220.30 google.co.kr 
    207.44.220.30 google.com.mx 
    207.44.220.30 google.nl 
    207.44.220.30 google.co.nz 
    207.44.220.30 google.pl 
    207.44.220.30 google.com.ru 
    207.44.220.30 google.com.sg 
    207.44.220.30 www.hotbot.com 
    207.44.220.30 hotbot.com
    The 207.44.220.30 address resolves to a dns name of ns1.sitething.net, but when I do a look up ns1.sitething.net, it tells me that name is available for registration
    ------
    “The most beautiful thing we can experience in life is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: for his eyes are closed.” - Albert Einstein

  17. #17
    Senior Member Sid's Avatar
    Join Date
    Sep 2000
    Location
    Hell's Kitchen
    Posts
    5,174
    Clear your host file again then from command line do
    "ipconfig /flushdns" command

  18. #18
    Certified SG Addict Indy's Avatar
    Join Date
    Feb 2000
    Location
    Amarillo, TX
    Posts
    25,529
    Blog Entries
    24
    Originally posted by Sid
    Clear your host file again then from command line do
    "ipconfig /flushdns" command
    I'm clean as far as that goes, just trying to find out what caused this to begin with...
    ------
    “The most beautiful thing we can experience in life is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: for his eyes are closed.” - Albert Einstein

  19. #19
    SCSI Dude Faust's Avatar
    Join Date
    Apr 2000
    Location
    Huntington Beach, CA
    Posts
    8,711
    Originally posted by Tony B
    Still have the old hosts file (just backed it up as opposed to deleting it)...here is what it looks like:

    Code:
    88.88.88.88 elite 
    207.44.220.30 www.google.akadns.net 
    207.44.220.30 www.google.com 
    207.44.220.30 google.com 
    207.44.220.30 www.altavista.com 
    207.44.220.30 altavista.com 
    207.44.220.30 search.yahoo.com 
    207.44.220.30 uk.search.yahoo.com 
    207.44.220.30 ca.search.yahoo.com 
    207.44.220.30 jp.search.yahoo.com 
    207.44.220.30 au.search.yahoo.com 
    207.44.220.30 de.search.yahoo.com 
    207.44.220.30 search.yahoo.co.jp 
    207.44.220.30 www.lycos.de 
    207.44.220.30 www.lycos.ca 
    207.44.220.30 www.lycos.jp 
    207.44.220.30 www.lycos.co.jp 
    207.44.220.30 alltheweb.com 
    207.44.220.30 web.ask.com 
    207.44.220.30 ask.com 
    207.44.220.30 www.ask.com 
    207.44.220.30 www.teoma.com 
    207.44.220.30 search.aol.com 
    207.44.220.30 www.looksmart.com 
    207.44.220.30 auto.search.msn.com 
    207.44.220.30 search.msn.com 
    207.44.220.30 ca.search.msn.com 
    207.44.220.30 fr.ca.search.msn.com 
    207.44.220.30 search.fr.msn.be 
    207.44.220.30 search.fr.msn.ch 
    207.44.220.30 search.latam.yupimsn.com 
    207.44.220.30 search.msn.at 
    207.44.220.30 search.msn.be 
    207.44.220.30 search.msn.ch 
    207.44.220.30 search.msn.co.in 
    207.44.220.30 search.msn.co.jp 
    207.44.220.30 search.msn.co.kr 
    207.44.220.30 search.msn.com.br 
    207.44.220.30 search.msn.com.hk 
    207.44.220.30 search.msn.com.my 
    207.44.220.30 search.msn.com.sg 
    207.44.220.30 search.msn.com.tw 
    207.44.220.30 search.msn.co.za 
    207.44.220.30 search.msn.de 
    207.44.220.30 search.msn.dk 
    207.44.220.30 search.msn.es 
    207.44.220.30 search.msn.fi 
    207.44.220.30 search.msn.fr 
    207.44.220.30 search.msn.it 
    207.44.220.30 search.msn.nl 
    207.44.220.30 search.msn.no 
    207.44.220.30 search.msn.se 
    207.44.220.30 search.ninemsn.com.au 
    207.44.220.30 search.t1msn.com.mx 
    207.44.220.30 search.xtramsn.co.nz 
    207.44.220.30 search.yupimsn.com 
    207.44.220.30 uk.search.msn.com 
    207.44.220.30 search.lycos.com 
    207.44.220.30 www.lycos.com 
    207.44.220.30 www.google.ca 
    207.44.220.30 google.ca 
    207.44.220.30 www.google.uk 
    207.44.220.30 www.google.co.uk 
    207.44.220.30 www.google.com.au 
    207.44.220.30 www.google.co.jp 
    207.44.220.30 www.google.jp 
    207.44.220.30 www.google.at 
    207.44.220.30 www.google.be 
    207.44.220.30 www.google.ch 
    207.44.220.30 www.google.de 
    207.44.220.30 www.google.se 
    207.44.220.30 www.google.dk 
    207.44.220.30 www.google.fi 
    207.44.220.30 www.google.fr 
    207.44.220.30 www.google.com.gr 
    207.44.220.30 www.google.com.hk 
    207.44.220.30 www.google.ie 
    207.44.220.30 www.google.co.il 
    207.44.220.30 www.google.it 
    207.44.220.30 www.google.co.kr 
    207.44.220.30 www.google.com.mx 
    207.44.220.30 www.google.nl 
    207.44.220.30 www.google.co.nz 
    207.44.220.30 www.google.pl 
    207.44.220.30 www.google.pt 
    207.44.220.30 www.google.com.ru 
    207.44.220.30 www.google.com.sg 
    207.44.220.30 www.google.co.th 
    207.44.220.30 www.google.com.tr 
    207.44.220.30 www.google.com.tw 
    207.44.220.30 go.google.com 
    207.44.220.30 google.at 
    207.44.220.30 google.be 
    207.44.220.30 google.de 
    207.44.220.30 google.dk 
    207.44.220.30 google.fi 
    207.44.220.30 google.fr 
    207.44.220.30 google.com.hk 
    207.44.220.30 google.ie 
    207.44.220.30 google.co.il 
    207.44.220.30 google.it 
    207.44.220.30 google.co.kr 
    207.44.220.30 google.com.mx 
    207.44.220.30 google.nl 
    207.44.220.30 google.co.nz 
    207.44.220.30 google.pl 
    207.44.220.30 google.com.ru 
    207.44.220.30 google.com.sg 
    207.44.220.30 www.hotbot.com 
    207.44.220.30 hotbot.com
    The 207.44.220.30 address resolves to a dns name of ns1.sitething.net, but when I do a look up ns1.sitething.net, it tells me that name is available for registration


    yep, there we go... that exactly what i was talking about (in the other thread)......... all major search engines being redirected. after some thought it occurred to me that the reason it redirects search engines is because they are the most commonly accesed type of website. why would this be useful? (besides pop-up ads or search tracking by using their search service)...... the main benefit i can see is, even without a webpage at the IP/domain name, logs at the host computer could record the IP addresses from everyone who was redirected to the site. why would they want a perpetually updating list of IPs with a computer and user attached to them? lots of reasons, i suppose.


    and as far as where it came from? i don;t know..... all it takes is one click of the word "yes" on a Windows "would you like to ......" (which most people do indescriminantly) pop-up and you're boned.
    "Today is a black day in the history of mankind."

    - Leo Szilard

  20. #20
    Certified SG Addict Indy's Avatar
    Join Date
    Feb 2000
    Location
    Amarillo, TX
    Posts
    25,529
    Blog Entries
    24
    Originally posted by Faust
    and as far as where it came from? i don;t know..... all it takes is one click of the word "yes" on a Windows "would you like to ......" (which most people do indescriminantly) pop-up and you're boned.
    Now that I think about it, my wife did tell me that a pop up came up that said my computer had a virus...but it was one of those fake types of pop ups that people use to try and get you to click onto their site...I told her never to close the window by clicking on the 'ok' button in the popup, but to close it by the 'x' on the upper right hand side of the popup...I have a feeling she may have clicked on the popup...
    ------
    “The most beautiful thing we can experience in life is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: for his eyes are closed.” - Albert Einstein

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •