Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] Poisoned DNS redirect for entire network?
New Posts  All Forums:Forum Nav:

[SOLVED] Poisoned DNS redirect for entire network?

post #1 of 8
Thread Starter 
Solution:

So, it turned out to be the router, wrt160n. default original firmware revision (as per the admin screen), and default user/pass. Despite no dns settings appear to be changed, wiping the nvram and installing dd-wrt solved everything. in theory, simply re/installing the firmware woulda/coulda solved this issue, but i like dd-wrt. regardless, whatever malicious software we had/have modified the routers firmware... scary.




the original problem:

So, where to start...

SOMEONE on the home network has some sort of a virus. Its setting up a DNS for the ENTIRE network that redirects everyones traffic, roughly 5-50% of the links you click are redirected to some crap ad. Good links, google results, my local cities news, my colleges online administrative (sign up/pay for/manage classes), well pretty much everything.

Now at first i thought a virus had infected every computer. But my work laptop is affected, and its running ubuntu. GF's dad/brother's computers are always on, and her mothers computer is off (reinstalling 7 to it right now, she got a fake av). This machine im on right now just got a fresh install of 7, and chrome. thats how long its been on.

So her dads/brothers computer have had mbam, combofix, and super anti spyware ran on both. Tomorrow morning im going to turn both off and see if im still affected. and figure it out. but honestly, even then ill have to reformat, and never the less how is it affecting everyone, including my router?

also, router is default linksys N something or other. They neglected putting the rev # on the serial # sticker, so no dd-wrt for me Also, no dns change is possible in the linksys firmware other then open-dns and TZO.com, both of which are disabled.

thoughts? (i guess this is more of a rant)

-Green
Edited by Greensystemsgo - 1/23/11 at 1:10am
P50
(15 items)
 
   
CPUGraphicsRAMHard Drive
Intel Core i7-6700HQ NVIDIA Quadro M1000M 4GB Gskill 32gb 4x8gb DDR4 2300mhz Samsung 850 PRO - 1TB SSD m2 
Hard DriveOptical DriveOSOS
Seagate 2TB w/ 128MB Cache (ST2000LM007) Pioneer External USB-C Blu-Ray Burner Fedora 25 Win 10 LTSB 
MonitorMonitorMonitorPower
15.6" 1920x1080 IPS BenQ GL2460HM 24" LED BenQ GL2460HM 24" LED Lenovo 170w Power adapter 
MouseOther
MX-580 or Razor bluetooth something or other Docking station 40A50230US 
CPUMotherboardRAMHard Drive
i7 3770k BIOSTAR TH67+ 32gb 4x8 Corsair Vengence 1600 1x 256gb m2 
Hard DriveOSPowerCase
6x Seagate 2.5" 3tb > ~8.5tb raid 10 OpenSuse Seasonic G 550w Silverstone SG11B 
Other
Raid card 
  hide details  
Reply
P50
(15 items)
 
   
CPUGraphicsRAMHard Drive
Intel Core i7-6700HQ NVIDIA Quadro M1000M 4GB Gskill 32gb 4x8gb DDR4 2300mhz Samsung 850 PRO - 1TB SSD m2 
Hard DriveOptical DriveOSOS
Seagate 2TB w/ 128MB Cache (ST2000LM007) Pioneer External USB-C Blu-Ray Burner Fedora 25 Win 10 LTSB 
MonitorMonitorMonitorPower
15.6" 1920x1080 IPS BenQ GL2460HM 24" LED BenQ GL2460HM 24" LED Lenovo 170w Power adapter 
MouseOther
MX-580 or Razor bluetooth something or other Docking station 40A50230US 
CPUMotherboardRAMHard Drive
i7 3770k BIOSTAR TH67+ 32gb 4x8 Corsair Vengence 1600 1x 256gb m2 
Hard DriveOSPowerCase
6x Seagate 2.5" 3tb > ~8.5tb raid 10 OpenSuse Seasonic G 550w Silverstone SG11B 
Other
Raid card 
  hide details  
Reply
post #2 of 8
Hrm... that seems like a tough one..

I'd say try replacing the router with another one, after cleaning all the PC's that generally are connected to it. If that doesn't work/fix it - I dunno what else you can do.
    
CPUMotherboardGraphicsRAM
INTEL ASUS XFX  SAMSUNG 
Hard DriveOptical DriveCoolingOS
WD/ST LG KUHLER WINDOWS 
MonitorKeyboardPowerCase
LG/SAMSUNG IBM MODEL M CORSAIR THERMALTAKE 
MouseMouse PadAudio
MS INTELLIMOUSE EXPLORER 3.0 REGULAR LARGE PAD ONBOARD but it USED TO BE A XONAR DG  
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
INTEL ASUS XFX  SAMSUNG 
Hard DriveOptical DriveCoolingOS
WD/ST LG KUHLER WINDOWS 
MonitorKeyboardPowerCase
LG/SAMSUNG IBM MODEL M CORSAIR THERMALTAKE 
MouseMouse PadAudio
MS INTELLIMOUSE EXPLORER 3.0 REGULAR LARGE PAD ONBOARD but it USED TO BE A XONAR DG  
  hide details  
Reply
post #3 of 8
Thread Starter 
Quote:
Originally Posted by GanjaSMK View Post
Hrm... that seems like a tough one..

I'd say try replacing the router with another one, after cleaning all the PC's that generally are connected to it. If that doesn't work/fix it - I dunno what else you can do.
Ya, i suppose that would be a viable step into eliminating this thing. pretty sure i have it limited to one computer besides my own. Havent yet checked its dns hosts file but doubt it'll show anything as it affects the entire network. ugh. So embarrassing as this is mainly do (virus removal and such) never even thought my router could be compromised, but seeing as it is a popular make i suppose.
P50
(15 items)
 
   
CPUGraphicsRAMHard Drive
Intel Core i7-6700HQ NVIDIA Quadro M1000M 4GB Gskill 32gb 4x8gb DDR4 2300mhz Samsung 850 PRO - 1TB SSD m2 
Hard DriveOptical DriveOSOS
Seagate 2TB w/ 128MB Cache (ST2000LM007) Pioneer External USB-C Blu-Ray Burner Fedora 25 Win 10 LTSB 
MonitorMonitorMonitorPower
15.6" 1920x1080 IPS BenQ GL2460HM 24" LED BenQ GL2460HM 24" LED Lenovo 170w Power adapter 
MouseOther
MX-580 or Razor bluetooth something or other Docking station 40A50230US 
CPUMotherboardRAMHard Drive
i7 3770k BIOSTAR TH67+ 32gb 4x8 Corsair Vengence 1600 1x 256gb m2 
Hard DriveOSPowerCase
6x Seagate 2.5" 3tb > ~8.5tb raid 10 OpenSuse Seasonic G 550w Silverstone SG11B 
Other
Raid card 
  hide details  
Reply
P50
(15 items)
 
   
CPUGraphicsRAMHard Drive
Intel Core i7-6700HQ NVIDIA Quadro M1000M 4GB Gskill 32gb 4x8gb DDR4 2300mhz Samsung 850 PRO - 1TB SSD m2 
Hard DriveOptical DriveOSOS
Seagate 2TB w/ 128MB Cache (ST2000LM007) Pioneer External USB-C Blu-Ray Burner Fedora 25 Win 10 LTSB 
MonitorMonitorMonitorPower
15.6" 1920x1080 IPS BenQ GL2460HM 24" LED BenQ GL2460HM 24" LED Lenovo 170w Power adapter 
MouseOther
MX-580 or Razor bluetooth something or other Docking station 40A50230US 
CPUMotherboardRAMHard Drive
i7 3770k BIOSTAR TH67+ 32gb 4x8 Corsair Vengence 1600 1x 256gb m2 
Hard DriveOSPowerCase
6x Seagate 2.5" 3tb > ~8.5tb raid 10 OpenSuse Seasonic G 550w Silverstone SG11B 
Other
Raid card 
  hide details  
Reply
post #4 of 8
Just reset the router? Flush DNS cache on all computers via command line.
Computer
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel i5 2500k ASUS P8P67 Deluxe B3 MSI 6950 TF3 Xfire Gskill 8GB RAM 
Hard DriveOSMonitorKeyboard
128GB M4 | 1TB F3 Windows 7 Ultimate Dell 19'' and Viewsonic 22" Leopard Mech 
PowerCaseMouse
Sea Sonic X750 Lian Li A05 Razer Deathadder 3200 DPI 
  hide details  
Reply
Computer
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel i5 2500k ASUS P8P67 Deluxe B3 MSI 6950 TF3 Xfire Gskill 8GB RAM 
Hard DriveOSMonitorKeyboard
128GB M4 | 1TB F3 Windows 7 Ultimate Dell 19'' and Viewsonic 22" Leopard Mech 
PowerCaseMouse
Sea Sonic X750 Lian Li A05 Razer Deathadder 3200 DPI 
  hide details  
Reply
post #5 of 8
Thread Starter 
Quote:
Originally Posted by IntelLover View Post
Just reset the router? Flush DNS cache on all computers via command line.
but how could/would one computers bad dns effect the entire network. i can see a virus effecting every windows machine, but i mean the ubuntu machine is linux. dont quite think the kids behind virus's have that easily compromised linux...

also pretty sure dns flush only cleans the bad dns entires before they expire (roughly 24 hrs?) and this has been a ~christmas time issue.

2/3 computers currently on have fine "hosts" files.

on a side note, i betcha her mom got redirected to some fake av so she clicked and bam win7 is ANGRY and screwed up.
P50
(15 items)
 
   
CPUGraphicsRAMHard Drive
Intel Core i7-6700HQ NVIDIA Quadro M1000M 4GB Gskill 32gb 4x8gb DDR4 2300mhz Samsung 850 PRO - 1TB SSD m2 
Hard DriveOptical DriveOSOS
Seagate 2TB w/ 128MB Cache (ST2000LM007) Pioneer External USB-C Blu-Ray Burner Fedora 25 Win 10 LTSB 
MonitorMonitorMonitorPower
15.6" 1920x1080 IPS BenQ GL2460HM 24" LED BenQ GL2460HM 24" LED Lenovo 170w Power adapter 
MouseOther
MX-580 or Razor bluetooth something or other Docking station 40A50230US 
CPUMotherboardRAMHard Drive
i7 3770k BIOSTAR TH67+ 32gb 4x8 Corsair Vengence 1600 1x 256gb m2 
Hard DriveOSPowerCase
6x Seagate 2.5" 3tb > ~8.5tb raid 10 OpenSuse Seasonic G 550w Silverstone SG11B 
Other
Raid card 
  hide details  
Reply
P50
(15 items)
 
   
CPUGraphicsRAMHard Drive
Intel Core i7-6700HQ NVIDIA Quadro M1000M 4GB Gskill 32gb 4x8gb DDR4 2300mhz Samsung 850 PRO - 1TB SSD m2 
Hard DriveOptical DriveOSOS
Seagate 2TB w/ 128MB Cache (ST2000LM007) Pioneer External USB-C Blu-Ray Burner Fedora 25 Win 10 LTSB 
MonitorMonitorMonitorPower
15.6" 1920x1080 IPS BenQ GL2460HM 24" LED BenQ GL2460HM 24" LED Lenovo 170w Power adapter 
MouseOther
MX-580 or Razor bluetooth something or other Docking station 40A50230US 
CPUMotherboardRAMHard Drive
i7 3770k BIOSTAR TH67+ 32gb 4x8 Corsair Vengence 1600 1x 256gb m2 
Hard DriveOSPowerCase
6x Seagate 2.5" 3tb > ~8.5tb raid 10 OpenSuse Seasonic G 550w Silverstone SG11B 
Other
Raid card 
  hide details  
Reply
post #6 of 8
Try these too:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

  • If an infected file is detected, the default action will be Cure, click on Continue.

  • If a suspicious file is detected, the default action will be Skip, click on Continue.

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

============================

Go to Start > Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Turn the computer off.

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
Restart computer and check for redirections.

NOTE. You may need to re-check your router security settings, as described HERE
Obstinate
(17 items)
 
  
CPUMotherboardGraphicsRAM
4790K MSI Z97 Gaming 3 ASUS Strix GTX 970 Corsair Vengeance Pro CL9 1866 16Gb 
Hard DriveHard DriveHard DriveOptical Drive
Samsung 850 Pro 256Gb Phoenix pro 120Gb WD 1Tb ASUS Blu Ray writer 
CoolingOSMonitorKeyboard
Corsair H110 Windows 7 Pro BENQ 27" 1440P Corsair Vengeance K95  
PowerCaseMouseMouse Pad
Corsair HX750i Corsair Obsidian 450D R.A.T.7. Razer Goliathus 
Audio
Corsair gaming H2100 7.1 
  hide details  
Reply
Obstinate
(17 items)
 
  
CPUMotherboardGraphicsRAM
4790K MSI Z97 Gaming 3 ASUS Strix GTX 970 Corsair Vengeance Pro CL9 1866 16Gb 
Hard DriveHard DriveHard DriveOptical Drive
Samsung 850 Pro 256Gb Phoenix pro 120Gb WD 1Tb ASUS Blu Ray writer 
CoolingOSMonitorKeyboard
Corsair H110 Windows 7 Pro BENQ 27" 1440P Corsair Vengeance K95  
PowerCaseMouseMouse Pad
Corsair HX750i Corsair Obsidian 450D R.A.T.7. Razer Goliathus 
Audio
Corsair gaming H2100 7.1 
  hide details  
Reply
post #7 of 8
Thread Starter 
solved. see original post.

and heed as a warning to others.
P50
(15 items)
 
   
CPUGraphicsRAMHard Drive
Intel Core i7-6700HQ NVIDIA Quadro M1000M 4GB Gskill 32gb 4x8gb DDR4 2300mhz Samsung 850 PRO - 1TB SSD m2 
Hard DriveOptical DriveOSOS
Seagate 2TB w/ 128MB Cache (ST2000LM007) Pioneer External USB-C Blu-Ray Burner Fedora 25 Win 10 LTSB 
MonitorMonitorMonitorPower
15.6" 1920x1080 IPS BenQ GL2460HM 24" LED BenQ GL2460HM 24" LED Lenovo 170w Power adapter 
MouseOther
MX-580 or Razor bluetooth something or other Docking station 40A50230US 
CPUMotherboardRAMHard Drive
i7 3770k BIOSTAR TH67+ 32gb 4x8 Corsair Vengence 1600 1x 256gb m2 
Hard DriveOSPowerCase
6x Seagate 2.5" 3tb > ~8.5tb raid 10 OpenSuse Seasonic G 550w Silverstone SG11B 
Other
Raid card 
  hide details  
Reply
P50
(15 items)
 
   
CPUGraphicsRAMHard Drive
Intel Core i7-6700HQ NVIDIA Quadro M1000M 4GB Gskill 32gb 4x8gb DDR4 2300mhz Samsung 850 PRO - 1TB SSD m2 
Hard DriveOptical DriveOSOS
Seagate 2TB w/ 128MB Cache (ST2000LM007) Pioneer External USB-C Blu-Ray Burner Fedora 25 Win 10 LTSB 
MonitorMonitorMonitorPower
15.6" 1920x1080 IPS BenQ GL2460HM 24" LED BenQ GL2460HM 24" LED Lenovo 170w Power adapter 
MouseOther
MX-580 or Razor bluetooth something or other Docking station 40A50230US 
CPUMotherboardRAMHard Drive
i7 3770k BIOSTAR TH67+ 32gb 4x8 Corsair Vengence 1600 1x 256gb m2 
Hard DriveOSPowerCase
6x Seagate 2.5" 3tb > ~8.5tb raid 10 OpenSuse Seasonic G 550w Silverstone SG11B 
Other
Raid card 
  hide details  
Reply
post #8 of 8
I'm glad to hear you're all sorted out eh?!
    
CPUMotherboardGraphicsRAM
INTEL ASUS XFX  SAMSUNG 
Hard DriveOptical DriveCoolingOS
WD/ST LG KUHLER WINDOWS 
MonitorKeyboardPowerCase
LG/SAMSUNG IBM MODEL M CORSAIR THERMALTAKE 
MouseMouse PadAudio
MS INTELLIMOUSE EXPLORER 3.0 REGULAR LARGE PAD ONBOARD but it USED TO BE A XONAR DG  
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
INTEL ASUS XFX  SAMSUNG 
Hard DriveOptical DriveCoolingOS
WD/ST LG KUHLER WINDOWS 
MonitorKeyboardPowerCase
LG/SAMSUNG IBM MODEL M CORSAIR THERMALTAKE 
MouseMouse PadAudio
MS INTELLIMOUSE EXPLORER 3.0 REGULAR LARGE PAD ONBOARD but it USED TO BE A XONAR DG  
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] Poisoned DNS redirect for entire network?