On 2014-04-11 12:56, C. Brouerius van Nidek wrote:
On Friday, April 11, 2014 10:53:17 AM Joachim Schrod wrote:
On 04/11/14 07:14, C. Brouerius van Nidek wrote:
On Thursday, April 10, 2014 10:22:44 PM Joachim Schrod wrote:
On 04/10/14 18:24, C. Brouerius van Nidek wrote:
Where do I find the changed suspicious DNS ? Anybody within reach with a basic understanding of Windows? The last Windows I worked with was the version 3.1.1.
Do you have a router that gives out IP addresses for your home network? [...]
Then the problematic DNS entry is handed out by your router. As Marcus and Andreas wrote, quite some routers (especially AVM Fritz-Boxes) recently had a serious vulnerability that is actively exploited.
The "suspect" /etc/resolv.conf had: nameserver 68.168.98.196 nameserver 8.8.8.8 So, the suspect DNS server is "68.168.98.196" - but this DNS server works, although on one on my tries it timed out after giving a partial answer (try "time host -v google.com 68.168.98.196"). Whois gives this info about it: OrgName: Codero OrgId: APHIN Address: 5750 W. 95th St., Suite 300 City: Overland Park StateProv: KS PostalCode: 66207 Country: US RegDate: 2009-07-21 Updated: 2014-03-05 Ref: http://whois.arin.net/rest/org/APHIN Normally, routers get a DNS server from your internet provider, and the router gives that data to your local computers asking for it via DHCP.
Next step is: Use http://www.router-backdoor.de/?lang=en to check if your router has the currently exploited vulnerability.
Port 32764 backdoor is not provided. That one intrusion possibility crossed of the list.
So, nothing is wrong, in the sense of virus or malware, but simply that your ISP is telling you to use a DNS that is probably overloaded. At least, it responds slowly. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)