Re: [opensuse-security] I think it's a virus. While nmbd running some web-sites are redirected or broken
14.06.12 15:00, Dave (Bigfoot) Ellingsberg написав(ла):
If your IPs are static. Then put an entry in your hosts file for the short name of your other box. DNS will look to hosts first then to a DNSserver . if you have wins its hosts, wins, DNS -- in that order.
Ok, let's discuss it other time. It's not the current problem. I don't want to write manually machine name - ip's pair. But ok, let's move to the problem. Thanks.
Is it perhaps your other box that is answering this boxes wins queries. Try wireshark or tcpdump to see if your broadcasting wins requests and see who or what is answering those queries.
I started tcpdump >1.txt and started nmbd. I surfed much and I didn't met the problem. I opened dozens of windows with no result. Only once I saw that fake site and it gone once page reloaded. It seems determined it's been checked. Fantastic? The 1.txt is 6.3M. Can I show it? I tried to examine it and found the suspicious lines: 15:22:29.465461 IP 208.91.196-252.confluence-networks.com.http > 192.168.1.2.53103: Flags [.], seq 15926:17366, ack 4244, win 8576, length 1440 15:22:29.465661 IP 208.91.196-252.confluence-networks.com.http > 192.168.1.2.53103: Flags [P.], seq 17366:17614, ack 4244, win 8576, length 248 15:22:29.465686 IP 192.168.1.2.53103 > 208.91.196-252.confluence-networks.com.http: Flags [.], ack 17614, win 57600, length 0 15:22:29.472782 IP 192.168.1.2.53103 > 208.91.196-252.confluence-networks.com.http: Flags [P.], seq 4244:4645, ack 17614, win 57600, length 401 I tried IP 208.91.196.252 and say web-site http://searchmagnified.com/ Before I got a popup link when opening pravda.com.ua (I wrote it to marcus) Now the popup have been changed... Before it was redirecting to youtube, not here http://searchmagnified.com/popunder?domain=pravda.com.ua&fp=pmvqGYevDXgwMXeN7NLjbfb9QDz%2FK9CwpgCyVKxzcvEFW7rod1VCAFtplD5Pmj2D7V1SLHzqCOoLPa9TsOcfbXwzpuq6yzWzZ7iKFY8tda%2BM2JMBORpgvpXxwuTjmn95HxhzgfQZsGI7zakSZzwtAD9hguxBTgR%2B9cKM2LK%2F3a%2FqQ5HKd33XZlUNGdyNagGc&_onx_=1 So it's tied somehow. Any suggestion? -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (1)
-
Gruz