CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

Not DNS poisoning?

 
Post new topic   Reply to topic       All -> FavForums -> General Computer Problems [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
VictorMeldrew

Cadet
Cadet


Joined: Mar 07, 2007
Posts: 1
Location: Thailand
PostPosted: Wed Mar 07, 2007 5:02 pm    Post subject: Not DNS poisoning?
Reply with quote

Apologies if this is in the wrong place, too small text etc, I've just signed up.

I'm using a 56K dial-up account with an ISP in Thailand. Last night I tried to connect to www.antiwar.com via a 'Bookmark', there was a pause and then a 'page unavailable' screen came up, and 203.146.129.137:10000 (port 10000!) was in the address bar. I found a website to convert 'www.antiwar.com' into numerals, pasted that in the address bar and the site loaded fine. Then out of curiosity I pasted the above address, 203.146.129.137, into the address bar without the port suffix and a Ragnarok game page in Thai loaded. All the other links I used in my favourites list seemed normal; however, I went to a RIPE query page, www.ripe.net/whois, clicked the link at the bottom of the page for ARIN, that loaded normally, and then when I clicked the APNIC link there was a pause and a 'page unavailable' screen appeared, with the same address but port 9000, 203.146.129.137:9000.

The strange thing is, a couple of days ago I reconfigured my connection to point at the OpenDNS servers, www.opendns.com, and used a trick they explain on their website to verify that I was in fact using them. It seemed highly unlikely, if not impossible, that they'd been hacked by Thai gamers. Just for comparison I disconnected, changed my DNS settings back to automatic allocation, reconnected and got exactly the same results with the same bookmark and page link from my ISP's DNS servers, but the port eventually changed to 6009. Even though I'd been using the latest version of Opera with javascript turned off I got paranoid, updated all the anti-malware stuff on my computer, disconnected and checked with Ad-aware, Spybot, AntiVir, AVG Anti-Spyware and Blacklight, with absolutely nothing flagged up by any of them. Is it safe to assume that this was some kind of server pollution or infection, and if so does it sound familiar to anyone, (and is there any way to protect myself from it in future)? According to Idserve my ISP is running Apache.

Many thanks for any ideas people might have, sorry if it takes me a while to post any further comments due to time difference etc
Back to top
View users profile Send private message
Dragan_Glas

Team CC Chief Host
Team CC Chief Host
Chess Board Host
Chess Board Host

Joined: May 27, 2004
Posts: 2938

Premium RootKit Detection Hosts Rootkit Responders SRT Team CC Committee

PostPosted: Sun Mar 11, 2007 6:55 pm    Post subject:
Reply with quote

Greetings,

VictorMeldrew
Welcome to CastleCops! Very Happy

It appears that the IP address range, 203.146.129.0-255, has been reassigned - see the report below:

Quote:
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 203.146.129.0 - 203.146.129.255
netname: advdatanet-th
country: TH
descr: reassign to "ADVANCED DATANETWORK"
admin-c: LIA1-AP
tech-c: LIA1-AP
status: ASSIGNED NON-PORTABLE
changed: domaster@csloxinfo.com 20050421
mnt-by: LOXINFO-IS
source: APNIC

role: Loxinfo IP Admins
address: 304 Suapah Rd, Pomprab
address: Pomprab Suttruphai,Bangkok
country: TH
phone: +662 6225678
fax-no: +662 6228380
e-mail: domaster@loxinfo.co.th
admin-c: DL85-AP
tech-c: DL85-AP
nic-hdl: LIA1-AP
mnt-by: LOXINFO-IS
changed: ip_admin@csloxinfo.net 20060703
source: APNIC


If you wish to ensure that the site you wanted (www.antiwar.com) loads correctly, I suggest that you add the correct IP address to your hosts file - this will prevent it from being redirected by malware, unless the site changes its IP address(!):

72.3.135.33 www.antiwar.com

Kindest regards,

Dragan Glas


_________________
Quote:
The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one
Dennis Hughes, FBI
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> General Computer Problems All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can report post to moderators in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
141ppm 0.202s (0.038s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer