Results 1 to 5 of 5

Thread: Unknown DNS address

  1. #1
    ntechie Guest

    Default Unknown DNS address

    Sometime ago I was infected with Trojans and although quite a lot of cleaning up has been done but the following irritants still remain.

    (a) Along with my own DNS address ,an unknown DNS address 85.255.113.123:85.255.112.72 still appears in hijackthis log even after repeated deletions and

    (b) In a few cases my browsers gets redirected to porn sites.

    2. I am not particularly disturbed by (b) because on most sites I can operate satisfactorily and the windows do not create any nuisance.

    3. My present query relate to the unknown DNS address. I am interested in finding what does this unknown DNS address do ??. Is it listening in ?? or what ??

    4. What really happened when the infection took place was that the Zone Alarm gave out an alert message that ipconfig.exe wants to access the internet. Foolishly, I not only clicked "yes" but also placed a check mark in the check box.

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,284

    Default Re: Unknown DNS address

    The results on that server are not conforting... Its from Ukraine... What was the name of the trojan?By the name you could find more info on what this trojan does.--------------------------------------------------------------% This is the RIPE Whois query server #1.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    % Information related to '85.255.112.0 - 85.255.127.255'

    inetnum: 85.255.112.0 - 85.255.127.255
    netname: inhoster
    descr: Inhoster hosting company
    descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
    remarks: -----------------------------------
    remarks: Abuse notifications to: abuse@inhoster.com
    remarks: Network problems to: noc@inhoster.com
    remarks: Peering requests to: peering@inhoster.com
    remarks: -----------------------------------
    country: UA
    org: ORG-EST1-RIPE
    admin-c: AK4026-RIPE
    tech-c: AK4026-RIPE
    tech-c: FWHS1-RIPE
    notify: gorulko@bas-net.by
    notify: support@ydav.com
    status: ASSIGNED PI
    mnt-by: RIPE-NCC-HM-PI-MNT
    mnt-lower: RIPE-NCC-HM-PI-MNT
    mnt-by: RECIT-MNT
    mnt-routes: RECIT-MNT
    mnt-domains: RECIT-MNT
    mnt-by: DAV-MNT
    mnt-routes: DAV-MNT
    mnt-domains: DAV-MNT
    changed: gorulko@bas-net.by 20050916
    changed: hostmaster@ripe.net 20051026
    source: RIPE

    organisation: ORG-EST1-RIPE
    org-name: INHOSTER
    org-type: OTHER
    remarks: *************************************
    remarks: * Abuse contacts: abuse@inhoster.com *
    remarks: *************************************
    address: OOO Inhoster
    address: Poltavskij Shliax 24, Xarkov,
    address: 61000, Ukraine
    phone: +38 066 4633621
    e-mail: support@inhoster.com
    admin-c: AK4026-RIPE
    tech-c: AK4026-RIPE
    ref-nfy: support@ydav.com
    ref-nfy: support@inhoster.com
    mnt-ref: DAV-MNT
    notify: support@ydav.com
    notify: support@inhoster.com
    mnt-by: DAV-MNT
    changed: support@ydav.com 20050725
    changed: ripe-dbm@ripe.net 20070102
    source: RIPE

    person: Andrei Kislizin
    address: OOO Inhoster,
    address: ul.Antonova 5, Kiev,
    address: 03186, Ukraine
    phone: +38 044 2404332
    nic-hdl: AK4026-RIPE
    notify: support@inhoster.com
    notify: support@ydav.com
    changed: support@ydav.com 20050725
    source: RIPE

    person: Fast Web Hosting Support
    address: 01110, Ukraine, Kiev, 20, Solomenskaya street. room 201.
    address: UA
    phone: +35 79 91 17 759
    e-mail: support@fwebhost.net
    nic-hdl: FWHS1-RIPE
    changed: support@fwebhost.net 20060813
    source: RIPE-----------------------------------------------------------------------
    Are you on the latest version of ZASS 7 (7.0.337.000), if not please update your ZASS... update AV/AS signature and:1. Disable system restore;2. Reboot in SAFE MODE3. Run a full ZA AV/AS scan4. Reboot in Normal Mode5. Enable back System restore(How to start in SAFE MODE: http://www.microsoft.com/resources/d..._failsafe.mspx)If the above fails you may want to try Ewido online scan at: http://www.ewido.net/en/onlinescan/and also download, update and scan with superantispyware FREE:http://www.superantispyware.com/download.htmlif ALL the above fails please post your Hijackthis log here:http://www.castlecops.com/f67-Hijack...ans_Oh_My.htmlPlease read mandatory steps before posting:http://www.castlecops.com/t102301-Hi...e_Posting.htmlFax

    Message Edited by fax on 04-20-2007 04:05 AM

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Unknown DNS address

    Download the LSP Fix and see if there is a trojan in the stack. The results will shwo what there is and google will help confirm if there is a bad one in there or just the usual injections.

    http://www.majorgeeks.com/LSP-Fix_d4180.html

    Then run the XP TCP/IP Repair. Do both buttons and immediately reboot. This will reset the TCP and remove the errant DNS entries.

    http://www.majorgeeks.com/XP_TCPIP_Repair_d4521.html

    This will not remove the trojan, but it will clean the OS up a little.

    The ZA may detect a new network found and be sure to enter the correct DNS and DHCP servers into the Zones as Trusted....

    1. Go to Run type in command, hit OK, and type ipconfig /all then press enter. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side
    2. In ZA on your machine on the Firewall>Zones tab click Add and then select IP Address. Make sure the Zone is set to Trusted
    3. Click OK and then Apply for each one.
    4. The localhost or loopback must be listed as Trusted. It has the address of 127.0.0.1
    5 The Generic Host Process or the svchost.exe listed in the Program list must have both Trusted and Internet access and it must have server rights for the Trusted Zone, but not the Internet Zone.

    http://zonelabs.donhoover.net/dnsdhcp.html

    http://www.microsoft.com/resources/d....mspx?mfr=true

    If this is a desktop behind a router, which never leaves the home router, then it would be adviseable to enter the DNS and gateway into the properties of the Internet Protocol (TCP/IP).

    Open the network connections and open the Properties of the connection.

    Select Internet Protocol (TCP/IP) and open the Properties.

    In the General tab, enter the IP of the PC (with the subnet) and the Default Gateway address. Enter the DNS server as given by the provider.

    Select the Advanced button and cehck the IP Settings and DNS tabs to make sure they are correct.

    Reboot.

    Since the "obtain IP automatically" is now disabled and the IP assigned by the router is now locked in place and the DNS server(s) are now locked as well, open the Services and stop and disable both the DNS Client and the DHCP Client services. And reboot.

    Now the DNS address and IP is locked in place by Windows plus the ZA has the correct settings.

    Also open the Zones and block the two errant IP and any IP associated with them.





    Oldsod

    Message Edited by Oldsod on 04-20-2007 07:48 AM
    Best regards.
    oldsod

  4. #4
    ntechie Guest

    Default Re: Unknown DNS address

    I am mainly interested in finding out what can this unknown DNS address do ??

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Unknown DNS address

    The potential for a lot of damage is there.

    It basically is that the PC will go out and the false DNS will attempt to use false sites in place of your usual banking, shopping and payments sites, signins, gorums, homepages, etc. They will basically use this false DNS for your IP lookups and always try to present you with false IPs. Even an update page could be mimicked and they could trick you into installing bad activeX or download/install malware.

    The small possibility of the PC being a "bot" in a botnet is also present.

    There is a very strong possibility that all internet traffic that has occured since this event has been recorded and logged iby their servers- this would mean all passwords, logins, bank account numbers, account numbers, etc are in their possesion. All internet activities-browsing and emails and anything else you have been doing.

    It really depends on how ambitious the crooks are and what there plan is all about.

    The false sites will apear as the genuine sites, but the server certificates will not match, and the secure http may not appear (but that can be spoofed by pros as well) and the actual site address may not be exactly the same as it normally would appear in the address bar. This is the maximum risks that this presents.

    The minimum to be concerned about is just being constantly redirected to some ad/malware/prono/gambling/toolbar install/ paying sponser's site counter type of sites and getting that junk pushed into the desktop. And possibly being harassed by countless spam and phishing emails and bad attachments.

    The very least is the malware was installed and used the bad server for a DNS lookup and changed your OS settings at the same time. It is now able to continue to do what it wants and whenever it whats, if left unchecked.

    Either way. there is a crooked dollar being made and all of it is made at your expense.

    They have your IP on there list and will attempt to check up on you from time to time and your IP is being passed around to various sites.

    Block the entire range in the ZA. If you have a router that can block IP by ranges, that do that also.

    Contact your provider and ask to get your assigned IP changed. There are ways to change the IP by yourself, but that does not always work and still the best method is changing by the provider.

    Change all passwords, logins, accounts numbers, accounts, etc as soon as possible. Contact your business and fiancial sites and change everything. Do not do this on your PC and use instead a safe and uninfected PC either from extremely trusted friend or family. When using the family or friend's PC.... Clean all internet activity after finsihing the changes, so now record is left on their PC. Beware of machines used by users who would seem like the type to have a keylogger installed on their PC for their own pleasure.

    Additional advise...

    make sure the logging of the ZA is set to high and watch the emails, http and the https activity. Watch those ports for anything unusual.

    close off the mIRC and the IRC ports in the router (common venues for trojans)

    make sure the NET and BIOS ports are closed off in the PC and closed in the router

    disable remote assistance, remote logins, printer and file sharing and microsoft networking

    make sure the time server IP's are genuine and not spoofed either.

    With the little information that you have told us, this is the best I can do at this hour of the night.

    Oldsod

    Message Edited by Oldsod on 04-21-2007 12:50 AM

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Anti-Spyware
    Software Version:6.1
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •