Results 1 to 17 of 17

Thread: Google @ RS?

  1. #1
    Join Date
    Sep 2002
    Location
    Washington DC
    Posts
    2,514

    Google @ RS?

    Tracing route to google.com [207.44.220.30]
    over a maximum of 30 hops:

    1 7 ms 7 ms 6 ms 10.17.144.1
    2 7 ms 7 ms 7 ms vl7.aggr1.lnh.md.rcn.net [207.172.11.131]
    3 8 ms 7 ms 7 ms ge0-0.border1.lnh.md.rcn.net [207.172.15.5]
    4 10 ms 9 ms 10 ms so-2-0-1.pr1.iad1.us.above.net [64.125.12.1]
    5 9 ms 10 ms 9 ms so-2-0-0.cr1.iad1.us.above.net [208.185.0.138]
    6 13 ms 10 ms 9 ms so-1-0-0.cr1.dca2.us.above.net [208.184.233.125]

    7 27 ms 20 ms 22 ms pos2-0.pr1.atl4.us.mfnx.net [208.184.232.50]
    8 20 ms 20 ms 21 ms so-0-0-0.cr1.atl2.us.mfnx.net [208.185.0.217]
    9 40 ms 34 ms 33 ms so-3-0-0.mpr1.iah1.us.above.net [64.125.31.25]
    10 60 ms 59 ms 59 ms 216.200.251.61.ev1.net [216.200.251.61]
    11 * * * Request timed out.

    Google is down for me (atleast from where I am, google does have many many servers AFAIK). But why is it trying to trace through ev1/rs?

  2. #2
    Join Date
    Oct 2001
    Location
    San Mateo, CA
    Posts
    224
    Google is not at rackshack. they are at abovenet and some other data centres.

  3. #3
    Join Date
    Jul 2002
    Posts
    1,443
    ..
    Synergy Blue LLC
    SonataWeb.net | SynergyBlue.com
    USA should so something about: http://www.brillig.com/debt_clock/

  4. #4
    Join Date
    Sep 2002
    Location
    Washington DC
    Posts
    2,514
    Originally posted by takiman
    Google is not at rackshack. they are at abovenet and some other data centres.
    I know that. They have hundreds of servers around the world AFAIK. But why is it resolving to an IP in EV1's netblock?

  5. #5
    Join Date
    Mar 2002
    Location
    Grand Canyon State
    Posts
    591
    There was some strange routing for Google today based on what dns server you were using. My assistant today could not connect to Google on his pc, but anywhere else was fine. I use a different server and I was fine.

  6. #6
    Join Date
    Oct 2001
    Location
    San Mateo, CA
    Posts
    224
    that is weird. my nslookups resolve to
    Name: google.com
    Addresses: 216.239.53.99, 216.239.37.99

  7. #7
    Join Date
    Sep 2002
    Location
    Washington DC
    Posts
    2,514
    Originally posted by kingpcgeek
    There was some strange routing for Google today based on what dns server you were using. My assistant today could not connect to Google on his pc, but anywhere else was fine. I use a different server and I was fine.
    Maybe they just fubared their DNS in some places to point to an incorrect IP (EV1's)?

  8. #8
    Join Date
    Oct 2002
    Location
    Erin, TN
    Posts
    156
    There's a trojan, virus, whatever going around that modifies windows systems to direct you to another site when you try to bring up Google. It modifies the registry to point the hosts file to a non-standard place, and changes your default dns servers. Give me a bit and I'll find a site with more information on it.

  9. #9
    Join Date
    Oct 2002
    Location
    Erin, TN
    Posts
    156
    Here we go: http://vil.nai.com/vil/content/v_100719.htm. Note that the URL says you may be directed to IP 207.44.220.30, though it's also been reported to direct people to 207.44.194.56. When I did a traceroute on the second IP, I got:

    traceroute to 207.44.194.56 (207.44.194.56), 30 hops max, 38 byte packets
    1 12.153.203.129 (12.153.203.129) 30.044 ms 31.374 ms 32.829 ms
    2 10.100.9.137 (10.100.9.137) 41.648 ms 41.423 ms 42.552 ms
    3 192.168.110.21 (192.168.110.21) 44.406 ms 40.466 ms 42.450 ms
    4 12.119.233.209 (12.119.233.209) 46.468 ms 48.687 ms 47.510 ms
    5 gbr1-p58.hs1tx.ip.att.net (12.123.212.6) 53.028 ms 54.210 ms gbr2-p58.hs1tx.ip.att.net (12.123.212.2) 53.128 ms
    6 tbr2-p013701.hs1tx.ip.att.net (12.122.12.149) 52.161 ms tbr2-p0****1.hs1tx.ip.att.net (12.122.12.145) 52.693 ms 53.948 ms
    7 tbr1-cl1.dlstx.ip.att.net (12.122.10.129) 55.771 ms 58.944 ms 56.254 ms
    8 ggr1-p360.dlstx.ip.att.net (12.123.16.241) 55.662 ms 57.786 ms 56.713 ms
    9 IPP-dllstx9lce1-pos5-0.wcg.net (64.200.232.201) 58.172 ms 58.064 ms 57.184 ms
    10 dllstx1wcx2-oc48.wcg.net (64.200.110.81) 64.339 ms 60.341 ms 62.535 ms
    11 hstntx1wce2-pos4-0.wcg.net (64.200.240.74) 60.528 ms 60.230 ms 61.530 ms
    12 hstntx1wce2-everyonesinternet-gige.wcg.net (65.77.93.54) 62.356 ms 69.491 ms 60.448 ms
    13 39.ev1.net (207.218.245.39) 61.947 ms 60.000 ms 62.202 ms
    14 207.44.194.56 (207.44.194.56) 61.866 ms 63.826 ms 62.460 ms

  10. #10
    Join Date
    Sep 2001
    Location
    Seattle, WA
    Posts
    3,085
    You have a trojan! I had this two days ago (a few hours before NAI even posted an alert about it -- ick).

    That NAI site has some good removal instructions. Most AV software does not detect this yet.

    It's not your fault you have it either -- it was originally being distributed via an ad through FortuneCity and various content partners they run ads on.

    Do not just delete the hosts file -- you should actually modify the registry setting like they recommend, or various network things will not function (ie: having this actually will break Perl's LWP module because gethostbyname will no longer function -- a funky side affect that was driving me crazy before I knew it was a trojan!)
    Jim Reardon - jim/amusive.com

  11. #11
    Join Date
    Sep 2002
    Location
    Washington DC
    Posts
    2,514
    Originally posted by amusive.com
    You have a trojan! I had this two days ago (a few hours before NAI even posted an alert about it -- ick).
    Oh wow. My first virus .

  12. #12
    Join Date
    May 2003
    Location
    Philadelphia
    Posts
    970
    heh there was a post i made in the security forum before any AV vendor had their alerts out. Even though my theory about this particular attack may have been incorrect, the theory holds true. If this attack method becomes more popular it is going to get really nasty.
    http://www.eBoundary.com - Let us help you expand your eBoundaries!
    Fast, Secure and reliable FreeBSD shared, reseller and dedicated hosting.
    FREE Peace of mind with every account!

  13. #13
    Join Date
    Sep 2002
    Location
    Washington DC
    Posts
    2,514
    Is it possible to be like... "half infected"? I have some of the things listed done to my computer... but not all.

  14. #14
    Join Date
    May 2003
    Location
    Philadelphia
    Posts
    970
    Its always possible the code did not fully execute of your system for one reason or another
    http://www.eBoundary.com - Let us help you expand your eBoundaries!
    Fast, Secure and reliable FreeBSD shared, reseller and dedicated hosting.
    FREE Peace of mind with every account!

  15. #15
    Join Date
    Sep 2001
    Location
    Seattle, WA
    Posts
    3,085
    Some things also weren't on my system either (one of the registry keys it says that it creates, for exaple).
    Jim Reardon - jim/amusive.com

  16. #16
    Join Date
    Feb 2002
    Posts
    771
    download this http://www.tomcoyote.org/hjt/ and run it.. After you run the program you will see that all (or most) of your search engines will all resolve to the same IP address, you need to Click all the "01" files and remove them also it is a good idea to remove this from the registry host file also ( but make a back up of it first in case you screw up)

    It is a very simple to fix..


    Robert
    Light travels faster than sound, which is why some people appear bright until you hear them speak.

  17. #17
    interesting

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •