Google @ RS?

alapo · #1 10-02-2003, 11:23 PM

Tracing route to google.com [207.44.220.30]
over a maximum of 30 hops:

1 7 ms 7 ms 6 ms 10.17.144.1
2 7 ms 7 ms 7 ms vl7.aggr1.lnh.md.rcn.net [207.172.11.131]
3 8 ms 7 ms 7 ms ge0-0.border1.lnh.md.rcn.net [207.172.15.5]
4 10 ms 9 ms 10 ms so-2-0-1.pr1.iad1.us.above.net [64.125.12.1]
5 9 ms 10 ms 9 ms so-2-0-0.cr1.iad1.us.above.net [208.185.0.138]
6 13 ms 10 ms 9 ms so-1-0-0.cr1.dca2.us.above.net [208.184.233.125]

7 27 ms 20 ms 22 ms pos2-0.pr1.atl4.us.mfnx.net [208.184.232.50]
8 20 ms 20 ms 21 ms so-0-0-0.cr1.atl2.us.mfnx.net [208.185.0.217]
9 40 ms 34 ms 33 ms so-3-0-0.mpr1.iah1.us.above.net [64.125.31.25]
10 60 ms 59 ms 59 ms 216.200.251.61.ev1.net [216.200.251.61]
11 * * * Request timed out.

Google is down for me (atleast from where I am, google does have many many servers AFAIK). But why is it trying to trace through ev1/rs?

takiman · #2 10-02-2003, 11:26 PM

Google is not at rackshack. they are at abovenet and some other data centres.

VapoRub · #3 10-02-2003, 11:27 PM

..

alapo · #4 10-02-2003, 11:30 PM

Quote:

Originally posted by takiman
Google is not at rackshack. they are at abovenet and some other data centres.

I know that. They have hundreds of servers around the world AFAIK. But why is it resolving to an IP in EV1's netblock?

kingpcgeek · #5 10-02-2003, 11:31 PM

There was some strange routing for Google today based on what dns server you were using. My assistant today could not connect to Google on his pc, but anywhere else was fine. I use a different server and I was fine.

takiman · #6 10-02-2003, 11:32 PM

that is weird. my nslookups resolve to
Name: google.com
Addresses: 216.239.53.99, 216.239.37.99

alapo · #7 10-02-2003, 11:32 PM

Quote:

Originally posted by kingpcgeek
There was some strange routing for Google today based on what dns server you were using. My assistant today could not connect to Google on his pc, but anywhere else was fine. I use a different server and I was fine.

Maybe they just fubared their DNS in some places to point to an incorrect IP (EV1's)?

LinuxRigs · #8 10-03-2003, 02:41 AM

There's a trojan, virus, whatever going around that modifies windows systems to direct you to another site when you try to bring up Google. It modifies the registry to point the hosts file to a non-standard place, and changes your default dns servers. Give me a bit and I'll find a site with more information on it.

LinuxRigs · #9 10-03-2003, 02:50 AM

Here we go: http://vil.nai.com/vil/content/v_100719.htm. Note that the URL says you may be directed to IP 207.44.220.30, though it's also been reported to direct people to 207.44.194.56. When I did a traceroute on the second IP, I got:

traceroute to 207.44.194.56 (207.44.194.56), 30 hops max, 38 byte packets
1 12.153.203.129 (12.153.203.129) 30.044 ms 31.374 ms 32.829 ms
2 10.100.9.137 (10.100.9.137) 41.648 ms 41.423 ms 42.552 ms
3 192.168.110.21 (192.168.110.21) 44.406 ms 40.466 ms 42.450 ms
4 12.119.233.209 (12.119.233.209) 46.468 ms 48.687 ms 47.510 ms
5 gbr1-p58.hs1tx.ip.att.net (12.123.212.6) 53.028 ms 54.210 ms gbr2-p58.hs1tx.ip.att.net (12.123.212.2) 53.128 ms
6 tbr2-p013701.hs1tx.ip.att.net (12.122.12.149) 52.161 ms tbr2-p013401.hs1tx.ip.att.net (12.122.12.145) 52.693 ms 53.948 ms
7 tbr1-cl1.dlstx.ip.att.net (12.122.10.129) 55.771 ms 58.944 ms 56.254 ms
8 ggr1-p360.dlstx.ip.att.net (12.123.16.241) 55.662 ms 57.786 ms 56.713 ms
9 IPP-dllstx9lce1-pos5-0.wcg.net (64.200.232.201) 58.172 ms 58.064 ms 57.184 ms
10 dllstx1wcx2-oc48.wcg.net (64.200.110.81) 64.339 ms 60.341 ms 62.535 ms
11 hstntx1wce2-pos4-0.wcg.net (64.200.240.74) 60.528 ms 60.230 ms 61.530 ms
12 hstntx1wce2-everyonesinternet-gige.wcg.net (65.77.93.54) 62.356 ms 69.491 ms 60.448 ms
13 39.ev1.net (207.218.245.39) 61.947 ms 60.000 ms 62.202 ms
14 207.44.194.56 (207.44.194.56) 61.866 ms 63.826 ms 62.460 ms

amusive.com · #10 10-03-2003, 05:11 AM

You have a trojan! I had this two days ago (a few hours before NAI even posted an alert about it -- ick).

That NAI site has some good removal instructions. Most AV software does not detect this yet.

It's not your fault you have it either -- it was originally being distributed via an ad through FortuneCity and various content partners they run ads on.

Do not just delete the hosts file -- you should actually modify the registry setting like they recommend, or various network things will not function (ie: having this actually will break Perl's LWP module because gethostbyname will no longer function -- a funky side affect that was driving me crazy before I knew it was a trojan!)

alapo · #11 10-03-2003, 03:03 PM

Quote:

Originally posted by amusive.com
You have a trojan! I had this two days ago (a few hours before NAI even posted an alert about it -- ick).

Oh wow. My first virus

.

eBoundary · #12 10-03-2003, 03:14 PM

heh there was a post i made in the security forum before any AV vendor had their alerts out. Even though my theory about this particular attack may have been incorrect, the theory holds true. If this attack method becomes more popular it is going to get really nasty.