odd DNS failure in w2000? Kazaa/spyware? Yes -- fixed it.

steve at horne.homelinux.net steve at horne.homelinux.net
Sun Mar 16 10:41:41 EST 2003


OK --  my dns problem is fixed.  

I blindly followed the instructions here 

http://www.mobilmultimedia.com/writeups/Spyware.htm
making guesses for slight w2000 differences

and the problem is gone -- dns works, browsing works,
telnet within lan works.

I must conclude that kazaa or a relative was involved.
A possible scenario is

Kazaa installed (Jan sometime)
Installation discovered by me in Feb; appropriate
    admonishments meted out to the miscreants.
Adaware installed, ran, cleaned up,everything looks ok,
  but maybe something got left behind.  
Few days ago cable modem failed, attbi gives me another,
changes IP address.  (I use dyndns.com so no sweat there.)
I ran Adaware again shortly after & it found a couple more things,
which I deleted, but I don't remember if the Problem existed at this point.
  It certainly existed after I ran Adaware, so I expect Adaware deleted something
that the corrupted system needed.

Following the instructions above (deleting certain registry entries,
using "add/remove software" to remove all microsoft networking,
deleting/reinstalling the network protocols) fixed the problem.
I had the w2000 install cd handy (I keep it in the box
next to the dried chicken foot left over from linux  version .01)
but didn't need it.

All in all, an interesting lesson in W2000 system administration.

Thanks for all the help -- 
				Steve





On Sun, Mar 16, 2003 at 01:56:48PM -0500, Derek Martin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sun, Mar 16, 2003 at 09:28:30AM -0500, steve at horne.homelinux.net wrote:
> > I'm convinced at this point that the IP stack
> > has been hijacked somehow, probably by
> > kazaa or something similar. (See end note).
> 
> That's certainly a possibility.
> 
> > My plan now is to make a copy
> > of the registry (for postmortem analysis) then reformat/reinstall.
> 
> May not be a bad idea...
> 
> > > Clearly, you're not able to contact the DNS server for some reason.
> > > My first guess was your gateway was not set up properly, but you say
> > > you can ping outside hosts by number.  Can you traceroute to 4.2.2.1?
> > 
> > Yes, from the linux computers. But it's a little wierd!
> 
> But what about from the machine with the problem?
> 
> > But, traceroute to 4.2.2.1 ends
> > ...
> > 14  vlan40.cartnj1-dc1-dfa1-rc1.bbnplanet.net (128.11.201.67)  24.621 ms  24.684 ms  20.288 ms
> > 15  cartnj1-snsc1.gtei.net (128.11.184.8)  22.600 ms *  40.262 ms
> 
> Yeah I get the same result.  It may be (and probably is) a multi-homed
> machine, and your route to it goes through the other interface.
> Probably not a big deal.
> 
> > search ne1.client2.attbi.com client2.attbi.com attbi.com
> > nameserver 204.127.202.19
> > nameserver 216.148.227.79
> > 
> > Now I can ping these from all machines on the LAN -- but I can't
> > do traceroute to them.  Neither can the MIT machine.
> > (Traceroute spews * * *).
> 
> Most likely somewhere along the line something is filtering certain
> types of ICMP.  Not unusual, but highly annoying.
> 
> > > Make sure you're not blocking port 53, both UDP /AND/ TCP.  If memory
> > > serves, the W2k DNS resolver uses TCP a lot more often than it is
> > > supposed to.  Many people forget to open the TCP port, and only open
> > > the UDP port.  This could kill you dead.
> > 
> > Presumably this would disturb at least one of {w95,xp,linux} ?
> > All work fine.  Is there an explicit way to
> > demonstrate that a port is open?  Firewall rules say it is.
> 
> You could telnet to it...  However the DNS port will not provide any
> sort of response.  The only way you can tell is (if) your telnet
> client reports that it is connected.  On a linux box, your telnet
> should do this.
> 
>   $ telnet host 53
>   Trying 172.16.1.1...
>   Connected to host.
>   Escape character is '^]'.
>   <after a few seconds of no input from you>
>   Connection closed by foreign host.
> 
> If you get something like this, the port is open.  If iptables says it
> is, then I'm sure it is...
> 
> > http://www.mobilmultimedia.com/writeups/Spyware.htm
> 
> I've heard of this sort of thing before...  Don't know if it's
> related.  You'd probably know if you might be susceptible to having
> some spyware installed...
> 
> - -- 
> Derek D. Martin
> http://www.pizzashack.org/
> GPG Key ID: 0xDFBEAD02
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> 
> iD8DBQE+dMjwHEnASN++rQIRAjZtAKCiSowZ2bGdHqzcH9jxxBV7NhVx4wCfeYZL
> jVcdEEiuSHwB4CZF8WA7PuQ=
> =NhWA
> -----END PGP SIGNATURE-----
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss



More information about the Discuss mailing list