Weird DNS lookup results

[ghost]

Check this out, I entered the IP (INTO NETLAB) of what IE is attempting to connect to when I try to go to google.com and here's the result:

Code:

Host name: www.google.akadns.net
IP address: 207.44.220.30
Alias(es): www.google.com
	   google.com
	   www.altavista.com
	   altavista.com
	   search.yahoo.com
	   uk.search.yahoo.com
	   ca.search.yahoo.com
	   jp.search.yahoo.com
	   au.search.yahoo.com
	   de.search.yahoo.com
	   search.yahoo.co.jp
	   www.lycos.de
	   www.lycos.ca
	   www.lycos.jp
	   www.lycos.co.jp
	   alltheweb.com
	   web.ask.com
	   ask.com
	   www.ask.com
	   www.teoma.com
	   search.aol.com
	   www.looksmart.com
	   auto.search.msn.com
	   search.msn.com
	   ca.search.msn.com
	   fr.ca.search.msn.com

WTF is this?

[CiscoKid]

what are sites that use the Google search technology? Alex

My guess would be those sites google for their search engine...

[ghost]

I checked my hosts file and those were listed. Deleted them.

I updated AdAware and ran. Deleted some things.

I updated SpyBot and ran. Deleted some things.

Still couldn't get to http://www.google.com.

<reboot>

Everything is okay now.

SpyBot found some things that AdAware didn't. This is the first time that AdAware was insufficient fixing the problem.

[Unholy]

I think you might have gotten the DNS worm check symantec

[ghost]

Originally posted by Unholy
I think you might have gotten the DNS worm check symantec

Couple of things to think that I'm not...

1. I have my CA AV prog set to "real time," so it intercepts viruses/trojans in action. I have it automatically d/l and install updates DAILY and run daily as well.

2. I have Script Defender installed on my computer so that files with the following extensions: .VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB

MUST have my permission to do anything to my computer prior to their execution.

Thanks for posting about the DNS worm though, it was interesting reading.

[Indy]

Originally posted by ghost
Couple of things to think that I'm not...

1. I have my CA AV prog set to "real time," so it intercepts viruses/trojans in action. I have it automatically d/l and install updates DAILY and run daily as well.

2. I have Script Defender installed on my computer so that files with the following extensions: .VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB

MUST have my permission to do anything to my computer prior to their execution.

Thanks for posting about the DNS worm though, it was interesting reading.

When I was having problems getting into google, I was getting the same indications that you were. Found the hosts file that had those references as well. I also had found that an ip address had been inserted manually into the dns settings of my nic.

Bounced everything off of the information regarding the DNS worm, and nothing showed up on my machine. Also, the hosts file that you had found that had all the entries, was that in the C:\windows\help directory?

[Indy]

Originally posted by Unholy
I think you might have gotten the DNS worm check symantec

I found the temp directory that this worm creates on my machine, but no evidence of the files that would have been associated with it, and I can't find any evidence that my virus scanner cleaned anything as well...

Time to go check the kids computers as well...

[YeOldeStonecat]

There's been a couple of odd things happening regarding DNS over the past week. Many peeps I know who use different ISP's.

[Indy]

Originally posted by YeOldeStonecat
There's been a couple of odd things happening regarding DNS over the past week. Many peeps I know who use different ISP's.

I wonder if it could be a variation of the Trojan.Qhosts worm...

It's almost like I got an aborted version of the worm...couldn't find any of the registry entries that symantec describes, nor any of the associated files, but I did find the temp directory, as well as the altered hosts file in C:\windows\help and a manually entered dns entry in my nic properties...

No evidence of a viral removal from AVG...
No evidence from Spybot...
No evidence from Ad-aware...

Just weird...

[YeOldeStonecat]

Originally posted by Tony B
I wonder if it could be a variation of the Trojan.Qhosts worm...

Could be. A few days ago, I posted here if anyone had problems surfing the night before. It was like another mass coordinated DDOS attack was going on against root DNS servers. I could ping by IP, but could not ping, or even resolve, by name. I couldn't browse, but I could still chat via ICQ, and play online games. That same night, 3x buddies of mine, each using a different ISP, had the same thing going on . We were able to chat on ICQ, but not websurf.

Yet...next day...everything was fine...and I'm still fine. If I had that worm, I'd still be affected...I'd imagine.

[ghost]

Originally posted by Tony B
When I was having problems getting into google, I was getting the same indications that you were. Found the hosts file that had those references as well. I also had found that an ip address had been inserted manually into the dns settings of my nic.

Bounced everything off of the information regarding the DNS worm, and nothing showed up on my machine. Also, the hosts file that you had found that had all the entries, was that in the C:\windows\help directory?

Yep, in that same directory.

Checked my NIC, no entries & all fixed now. No virus/trojan.

[Indy]

Originally posted by ghost
Yep, in that same directory.

Checked my NIC, no entries & all fixed now. No virus/trojan.

Weird...none of this is making any sense...

[Sid]

This may shed some light on it.

http://www.nwfusion.com/news/2003/0922icannasks.html

[Indy]

Looks like we're not the only ones having problems...

http://forums.speedguide.net/showthr...68#post1136868

[Indy]

Originally posted by Tony B
Looks like we're not the only ones having problems...

http://forums.speedguide.net/showthr...68#post1136868

and

http://www.dslreports.com/forum/rema...cast~mode=flat

[Indy]

Still have the old hosts file (just backed it up as opposed to deleting it)...here is what it looks like:

Code:

88.88.88.88 elite 
207.44.220.30 www.google.akadns.net 
207.44.220.30 www.google.com 
207.44.220.30 google.com 
207.44.220.30 www.altavista.com 
207.44.220.30 altavista.com 
207.44.220.30 search.yahoo.com 
207.44.220.30 uk.search.yahoo.com 
207.44.220.30 ca.search.yahoo.com 
207.44.220.30 jp.search.yahoo.com 
207.44.220.30 au.search.yahoo.com 
207.44.220.30 de.search.yahoo.com 
207.44.220.30 search.yahoo.co.jp 
207.44.220.30 www.lycos.de 
207.44.220.30 www.lycos.ca 
207.44.220.30 www.lycos.jp 
207.44.220.30 www.lycos.co.jp 
207.44.220.30 alltheweb.com 
207.44.220.30 web.ask.com 
207.44.220.30 ask.com 
207.44.220.30 www.ask.com 
207.44.220.30 www.teoma.com 
207.44.220.30 search.aol.com 
207.44.220.30 www.looksmart.com 
207.44.220.30 auto.search.msn.com 
207.44.220.30 search.msn.com 
207.44.220.30 ca.search.msn.com 
207.44.220.30 fr.ca.search.msn.com 
207.44.220.30 search.fr.msn.be 
207.44.220.30 search.fr.msn.ch 
207.44.220.30 search.latam.yupimsn.com 
207.44.220.30 search.msn.at 
207.44.220.30 search.msn.be 
207.44.220.30 search.msn.ch 
207.44.220.30 search.msn.co.in 
207.44.220.30 search.msn.co.jp 
207.44.220.30 search.msn.co.kr 
207.44.220.30 search.msn.com.br 
207.44.220.30 search.msn.com.hk 
207.44.220.30 search.msn.com.my 
207.44.220.30 search.msn.com.sg 
207.44.220.30 search.msn.com.tw 
207.44.220.30 search.msn.co.za 
207.44.220.30 search.msn.de 
207.44.220.30 search.msn.dk 
207.44.220.30 search.msn.es 
207.44.220.30 search.msn.fi 
207.44.220.30 search.msn.fr 
207.44.220.30 search.msn.it 
207.44.220.30 search.msn.nl 
207.44.220.30 search.msn.no 
207.44.220.30 search.msn.se 
207.44.220.30 search.ninemsn.com.au 
207.44.220.30 search.t1msn.com.mx 
207.44.220.30 search.xtramsn.co.nz 
207.44.220.30 search.yupimsn.com 
207.44.220.30 uk.search.msn.com 
207.44.220.30 search.lycos.com 
207.44.220.30 www.lycos.com 
207.44.220.30 www.google.ca 
207.44.220.30 google.ca 
207.44.220.30 www.google.uk 
207.44.220.30 www.google.co.uk 
207.44.220.30 www.google.com.au 
207.44.220.30 www.google.co.jp 
207.44.220.30 www.google.jp 
207.44.220.30 www.google.at 
207.44.220.30 www.google.be 
207.44.220.30 www.google.ch 
207.44.220.30 www.google.de 
207.44.220.30 www.google.se 
207.44.220.30 www.google.dk 
207.44.220.30 www.google.fi 
207.44.220.30 www.google.fr 
207.44.220.30 www.google.com.gr 
207.44.220.30 www.google.com.hk 
207.44.220.30 www.google.ie 
207.44.220.30 www.google.co.il 
207.44.220.30 www.google.it 
207.44.220.30 www.google.co.kr 
207.44.220.30 www.google.com.mx 
207.44.220.30 www.google.nl 
207.44.220.30 www.google.co.nz 
207.44.220.30 www.google.pl 
207.44.220.30 www.google.pt 
207.44.220.30 www.google.com.ru 
207.44.220.30 www.google.com.sg 
207.44.220.30 www.google.co.th 
207.44.220.30 www.google.com.tr 
207.44.220.30 www.google.com.tw 
207.44.220.30 go.google.com 
207.44.220.30 google.at 
207.44.220.30 google.be 
207.44.220.30 google.de 
207.44.220.30 google.dk 
207.44.220.30 google.fi 
207.44.220.30 google.fr 
207.44.220.30 google.com.hk 
207.44.220.30 google.ie 
207.44.220.30 google.co.il 
207.44.220.30 google.it 
207.44.220.30 google.co.kr 
207.44.220.30 google.com.mx 
207.44.220.30 google.nl 
207.44.220.30 google.co.nz 
207.44.220.30 google.pl 
207.44.220.30 google.com.ru 
207.44.220.30 google.com.sg 
207.44.220.30 www.hotbot.com 
207.44.220.30 hotbot.com

The 207.44.220.30 address resolves to a dns name of ns1.sitething.net, but when I do a look up ns1.sitething.net, it tells me that name is available for registration

[Sid]

Clear your host file again then from command line do
"ipconfig /flushdns" command

[Indy]

Originally posted by Sid
Clear your host file again then from command line do
"ipconfig /flushdns" command

I'm clean as far as that goes, just trying to find out what caused this to begin with...

[Faust]

Originally posted by Tony B
Still have the old hosts file (just backed it up as opposed to deleting it)...here is what it looks like:

Code:

88.88.88.88 elite 
207.44.220.30 www.google.akadns.net 
207.44.220.30 www.google.com 
207.44.220.30 google.com 
207.44.220.30 www.altavista.com 
207.44.220.30 altavista.com 
207.44.220.30 search.yahoo.com 
207.44.220.30 uk.search.yahoo.com 
207.44.220.30 ca.search.yahoo.com 
207.44.220.30 jp.search.yahoo.com 
207.44.220.30 au.search.yahoo.com 
207.44.220.30 de.search.yahoo.com 
207.44.220.30 search.yahoo.co.jp 
207.44.220.30 www.lycos.de 
207.44.220.30 www.lycos.ca 
207.44.220.30 www.lycos.jp 
207.44.220.30 www.lycos.co.jp 
207.44.220.30 alltheweb.com 
207.44.220.30 web.ask.com 
207.44.220.30 ask.com 
207.44.220.30 www.ask.com 
207.44.220.30 www.teoma.com 
207.44.220.30 search.aol.com 
207.44.220.30 www.looksmart.com 
207.44.220.30 auto.search.msn.com 
207.44.220.30 search.msn.com 
207.44.220.30 ca.search.msn.com 
207.44.220.30 fr.ca.search.msn.com 
207.44.220.30 search.fr.msn.be 
207.44.220.30 search.fr.msn.ch 
207.44.220.30 search.latam.yupimsn.com 
207.44.220.30 search.msn.at 
207.44.220.30 search.msn.be 
207.44.220.30 search.msn.ch 
207.44.220.30 search.msn.co.in 
207.44.220.30 search.msn.co.jp 
207.44.220.30 search.msn.co.kr 
207.44.220.30 search.msn.com.br 
207.44.220.30 search.msn.com.hk 
207.44.220.30 search.msn.com.my 
207.44.220.30 search.msn.com.sg 
207.44.220.30 search.msn.com.tw 
207.44.220.30 search.msn.co.za 
207.44.220.30 search.msn.de 
207.44.220.30 search.msn.dk 
207.44.220.30 search.msn.es 
207.44.220.30 search.msn.fi 
207.44.220.30 search.msn.fr 
207.44.220.30 search.msn.it 
207.44.220.30 search.msn.nl 
207.44.220.30 search.msn.no 
207.44.220.30 search.msn.se 
207.44.220.30 search.ninemsn.com.au 
207.44.220.30 search.t1msn.com.mx 
207.44.220.30 search.xtramsn.co.nz 
207.44.220.30 search.yupimsn.com 
207.44.220.30 uk.search.msn.com 
207.44.220.30 search.lycos.com 
207.44.220.30 www.lycos.com 
207.44.220.30 www.google.ca 
207.44.220.30 google.ca 
207.44.220.30 www.google.uk 
207.44.220.30 www.google.co.uk 
207.44.220.30 www.google.com.au 
207.44.220.30 www.google.co.jp 
207.44.220.30 www.google.jp 
207.44.220.30 www.google.at 
207.44.220.30 www.google.be 
207.44.220.30 www.google.ch 
207.44.220.30 www.google.de 
207.44.220.30 www.google.se 
207.44.220.30 www.google.dk 
207.44.220.30 www.google.fi 
207.44.220.30 www.google.fr 
207.44.220.30 www.google.com.gr 
207.44.220.30 www.google.com.hk 
207.44.220.30 www.google.ie 
207.44.220.30 www.google.co.il 
207.44.220.30 www.google.it 
207.44.220.30 www.google.co.kr 
207.44.220.30 www.google.com.mx 
207.44.220.30 www.google.nl 
207.44.220.30 www.google.co.nz 
207.44.220.30 www.google.pl 
207.44.220.30 www.google.pt 
207.44.220.30 www.google.com.ru 
207.44.220.30 www.google.com.sg 
207.44.220.30 www.google.co.th 
207.44.220.30 www.google.com.tr 
207.44.220.30 www.google.com.tw 
207.44.220.30 go.google.com 
207.44.220.30 google.at 
207.44.220.30 google.be 
207.44.220.30 google.de 
207.44.220.30 google.dk 
207.44.220.30 google.fi 
207.44.220.30 google.fr 
207.44.220.30 google.com.hk 
207.44.220.30 google.ie 
207.44.220.30 google.co.il 
207.44.220.30 google.it 
207.44.220.30 google.co.kr 
207.44.220.30 google.com.mx 
207.44.220.30 google.nl 
207.44.220.30 google.co.nz 
207.44.220.30 google.pl 
207.44.220.30 google.com.ru 
207.44.220.30 google.com.sg 
207.44.220.30 www.hotbot.com 
207.44.220.30 hotbot.com

The 207.44.220.30 address resolves to a dns name of ns1.sitething.net, but when I do a look up ns1.sitething.net, it tells me that name is available for registration

yep, there we go... that exactly what i was talking about (in the other thread)......... all major search engines being redirected. after some thought it occurred to me that the reason it redirects search engines is because they are the most commonly accesed type of website. why would this be useful? (besides pop-up ads or search tracking by using their search service)...... the main benefit i can see is, even without a webpage at the IP/domain name, logs at the host computer could record the IP addresses from everyone who was redirected to the site. why would they want a perpetually updating list of IPs with a computer and user attached to them? lots of reasons, i suppose.


and as far as where it came from? i don;t know..... all it takes is one click of the word "yes" on a Windows "would you like to ......" (which most people do indescriminantly) pop-up and you're boned.

[Indy]

Originally posted by Faust
and as far as where it came from? i don;t know..... all it takes is one click of the word "yes" on a Windows "would you like to ......" (which most people do indescriminantly) pop-up and you're boned.

Now that I think about it, my wife did tell me that a pop up came up that said my computer had a virus...but it was one of those fake types of pop ups that people use to try and get you to click onto their site...I told her never to close the window by clicking on the 'ok' button in the popup, but to close it by the 'x' on the upper right hand side of the popup...I have a feeling she may have clicked on the popup...