[opensuse] did I caught a virus?
Since some 12 hours I cannot connect to google. With google download site for earth I get "404. That's an error. That's all we know." google.com shows me the message to update the outdated flashplayer. Did not know google com used a flashplayer. Searches with google as search engine are stuck and do not show anything else as the turning cursor as if to show that it is busy. Changed my search engine into ixquick and can for now at least do websearches. The choice to remind me later was easy. I choose not to install and got the question if I would save a setup.exe As web browser I use mainly Chromium. Have KDE updated with Tumbleweed and have not installed any software outside openSUSE sources.. Ran yesterday rkhunter. No problems. Where should I start looking for this problem? -- Linux User 183145 using KDE4 and LXDE on a Pentium IV , powered by openSUSE 13.1 (i586) Kernel: 3.14.0-23.gfa168d7-default KDE Development Platform: 4.12.4 21:18pm up 5:01, 3 users, load average: 1.20, 1.12, 1.18 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Apr 10, 2014 at 10:16:22PM +0700, C. Brouerius van Nidek wrote:
Since some 12 hours I cannot connect to google. With google download site for earth I get "404. That's an error. That's all we know." google.com shows me the message to update the outdated flashplayer. Did not know google com used a flashplayer.
Searches with google as search engine are stuck and do not show anything else as the turning cursor as if to show that it is busy. Changed my search engine into ixquick and can for now at least do websearches.
The choice to remind me later was easy. I choose not to install and got the question if I would save a setup.exe
As web browser I use mainly Chromium. Have KDE updated with Tumbleweed and have not installed any software outside openSUSE sources.. Ran yesterday rkhunter. No problems.
Where should I start looking for this problem?
Check your nameserver in /etc/resolv.conf If you are using a router that proxies the nameserver, check if that was reconfigured (some attackers reconfigure the DNS in the wireless router). Try using the google nameserver 8.8.8.8 to see if that changes behaviour. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Where should I start looking for this problem? maybe your router/cable box was compromised, and they added a different DNS service or added a proxy server? AVM Fritzbox routers have been in
Hi, the news because of security issues recently. If that is the case, other devices (smartphones, etc) should show the same problem. Same could be true for your client. Check your local /etc/resolv.conf for a suspicious DNS entry, or just try changing the IP to 8.8.8.8 (That's a dns server run by google, I'd only use it to test stuff). Also check if HTTP_PROXY is set (env | grep -i http), and if firefox or chromium have a proxy entry in their settings. If your box was compromised, your best bet should be a reinstall. Make a backup beforehand, especially if you are interested in what went wrong. This wasn't an exhaustive list of things to check, and I probably forgot a few things. But it's a start :) Greetings, Andreas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday, April 10, 2014 05:29:00 PM Andreas Seeg wrote:
Hi,
Where should I start looking for this problem?
maybe your router/cable box was compromised, and they added a different DNS service or added a proxy server? AVM Fritzbox routers have been in the news because of security issues recently. If that is the case, other devices (smartphones, etc) should show the same problem.
Same could be true for your client. Check your local /etc/resolv.conf for a suspicious DNS entry, or just try changing the IP to 8.8.8.8 (That's a dns server run by google, I'd only use it to test stuff). Also check if HTTP_PROXY is set (env | grep -i http), and if firefox or chromium have a proxy entry in their settings.
If your box was compromised, your best bet should be a reinstall. Make a backup beforehand, especially if you are interested in what went wrong.
This wasn't an exhaustive list of things to check, and I probably forgot a few things. But it's a start :)
Greetings,
Andreas
Thanks Andreas and Marcus. Had a look at /etc/resolv.conf annd found following changes. In two other (reserve setup from opensuse (both 13.1 normal update)I found that after the line ### Please remove (at least) this line when you modify the file! there were no additions. On the problem Thumbnail setup I found nameserver 68.168.98.196 nameserver 8.8.8.8 Removed the first name server and google worked as advertised. At least I have now a working computer but what could I do to prevent anything of the same and are there any other place s where some nasties could hide? :) Again, thanks again for the fast first aid. Constant -- Linux User 183145 using KDE4 and LXDE on a Pentium IV , powered by openSUSE 13.1 (i586) Kernel: 3.14.0-23.gfa168d7-default KDE Development Platform: 4.12.4 22:47pm up 6:30, 3 users, load average: 1.61, 1.49, 1.23 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Where should I start looking for this problem?
Small additional side question. My wife's Windows computer also got the problem. She is still on Windows but the change to Linux looms :). She was at least instructed not to update any files so no virus for the time being. Where do I find the changed suspicious DNS ? Anybody within reach with a basic understanding of Windows? The last Windows I worked with was the version 3.1.1. -- Linux User 183145 using KDE4 and LXDE on a Pentium IV , powered by openSUSE 13.1 (i586) Kernel: 3.14.0-23.gfa168d7-default KDE Development Platform: 4.12.4 22:47pm up 6:30, 3 users, load average: 1.61, 1.49, 1.23 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/10/14 18:24, C. Brouerius van Nidek wrote:
Where should I start looking for this problem?
Small additional side question. My wife's Windows computer also got the problem. She is still on Windows but the change to Linux looms :).
She was at least instructed not to update any files so no virus for the time being.
Where do I find the changed suspicious DNS ? Anybody within reach with a basic understanding of Windows? The last Windows I worked with was the version 3.1.1.
Do you have a router that gives out IP addresses for your home network? I.e., is your Linux system and your wife's Windows system configured to use DHCP? If your Linux system uses DHCP (check /etc/sysconfig/network/ifcfg-* if you don't use NetworkManager), there's a good bet that this is used by Windows, too. Then the problematic DNS entry is handed out by your router. As Marcus and Andreas wrote, quite some routers (especially AVM Fritz-Boxes) recently had a serious vulnerability that is actively exploited. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday, April 10, 2014 10:22:44 PM Joachim Schrod wrote:
On 04/10/14 18:24, C. Brouerius van Nidek wrote:
Where should I start looking for this problem?
Small additional side question. My wife's Windows computer also got the problem. She is still on Windows but the change to Linux looms :).
She was at least instructed not to update any files so no virus for the time being.
Where do I find the changed suspicious DNS ? Anybody within reach with a basic understanding of Windows? The last Windows I worked with was the version 3.1.1.
Do you have a router that gives out IP addresses for your home network?
I.e., is your Linux system and your wife's Windows system configured to use DHCP? If your Linux system uses DHCP (check /etc/sysconfig/network/ifcfg-* if you don't use NetworkManager), there's a good bet that this is used by Windows, too.
Then the problematic DNS entry is handed out by your router. As Marcus and Andreas wrote, quite some routers (especially AVM Fritz-Boxes) recently had a serious vulnerability that is actively exploited.
Thank you Joachim for this information. I am using ifup because it worked from installation on. Never bothered to work with NetworkManager. Would that have spared me the actual problems? With networking I am a total novice. I have at the moment three computers connected on one router, a TP-Link TD-8840T. I have never started to connect the three via the router so I assume that they all separately connect to the internet. I seem to need working on this for me new chapter and would highly appreciate some hints at where to begin. My computer is 24/7 on the net, the other machines when the are in use. Could be the start of a new setup. Constant -- Linux User 183145 using KDE4 and LXDE on a Pentium IV , powered by openSUSE 13.1 (i586) Kernel: 3.14.0-23.gfa168d7-default KDE Development Platform: 4.12.4 11:49am up 19:32, 3 users, load average: 1.66, 1.51, 1.30 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/11/14 07:14, C. Brouerius van Nidek wrote:
On Thursday, April 10, 2014 10:22:44 PM Joachim Schrod wrote:
On 04/10/14 18:24, C. Brouerius van Nidek wrote:
Where should I start looking for this problem?
Small additional side question. My wife's Windows computer also got the problem. She is still on Windows but the change to Linux looms :).
She was at least instructed not to update any files so no virus for the time being.
Where do I find the changed suspicious DNS ? Anybody within reach with a basic understanding of Windows? The last Windows I worked with was the version 3.1.1.
Do you have a router that gives out IP addresses for your home network? [...]
Then the problematic DNS entry is handed out by your router. As Marcus and Andreas wrote, quite some routers (especially AVM Fritz-Boxes) recently had a serious vulnerability that is actively exploited.
I am using ifup because it worked from installation on. Never bothered to work with NetworkManager. Would that have spared me the actual problems?
No, it would have made it more complicated.
With networking I am a total novice. I have at the moment three computers connected on one router, a TP-Link TD-8840T. I have never started to connect the three via the router so I assume that they all separately connect to the internet.
Yes, via the router. The router hands out IP addresses and also tells your three computers the DNS server that caused the problem. (Since you are a total novice: DNS is the service that maps host names like www.google.com to IP addresses like 74.125.143.106.) Next step is: Use http://www.router-backdoor.de/?lang=en to check if your router has the currently exploited vulnerability. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Friday, April 11, 2014 10:53:17 AM Joachim Schrod wrote:
On 04/11/14 07:14, C. Brouerius van Nidek wrote:
On Thursday, April 10, 2014 10:22:44 PM Joachim Schrod wrote:
On 04/10/14 18:24, C. Brouerius van Nidek wrote:
Where should I start looking for this problem?
Small additional side question. My wife's Windows computer also got the problem. She is still on Windows but the change to Linux looms :).
She was at least instructed not to update any files so no virus for the time being.
Where do I find the changed suspicious DNS ? Anybody within reach with a basic understanding of Windows? The last Windows I worked with was the version 3.1.1.
Do you have a router that gives out IP addresses for your home network? [...]
Then the problematic DNS entry is handed out by your router. As Marcus and Andreas wrote, quite some routers (especially AVM Fritz-Boxes) recently had a serious vulnerability that is actively exploited.
I am using ifup because it worked from installation on. Never bothered to work with NetworkManager. Would that have spared me the actual problems?
No, it would have made it more complicated.
With networking I am a total novice. I have at the moment three computers connected on one router, a TP-Link TD-8840T. I have never started to connect the three via the router so I assume that they all separately connect to the internet.
Yes, via the router. The router hands out IP addresses and also tells your three computers the DNS server that caused the problem. (Since you are a total novice: DNS is the service that maps host names like www.google.com to IP addresses like 74.125.143.106.)
Next step is: Use http://www.router-backdoor.de/?lang=en to check if your router has the currently exploited vulnerability.
Port 32764 backdoor is not provided. That one intrusion possibility crossed of the list. Gruss, Constant -- Linux User 183145 using KDE4 and LXDE on a Pentium IV , powered by openSUSE 13.1 (i586) Kernel: 3.14.0-23.gfa168d7-default KDE Development Platform: 4.12.4 17:52pm up 1 day 1:35, 3 users, load average: 1.55, 1.26, 1.01 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-11 12:56, C. Brouerius van Nidek wrote:
On Friday, April 11, 2014 10:53:17 AM Joachim Schrod wrote:
On 04/11/14 07:14, C. Brouerius van Nidek wrote:
On Thursday, April 10, 2014 10:22:44 PM Joachim Schrod wrote:
On 04/10/14 18:24, C. Brouerius van Nidek wrote:
Where do I find the changed suspicious DNS ? Anybody within reach with a basic understanding of Windows? The last Windows I worked with was the version 3.1.1.
Do you have a router that gives out IP addresses for your home network? [...]
Then the problematic DNS entry is handed out by your router. As Marcus and Andreas wrote, quite some routers (especially AVM Fritz-Boxes) recently had a serious vulnerability that is actively exploited.
The "suspect" /etc/resolv.conf had: nameserver 68.168.98.196 nameserver 8.8.8.8 So, the suspect DNS server is "68.168.98.196" - but this DNS server works, although on one on my tries it timed out after giving a partial answer (try "time host -v google.com 68.168.98.196"). Whois gives this info about it: OrgName: Codero OrgId: APHIN Address: 5750 W. 95th St., Suite 300 City: Overland Park StateProv: KS PostalCode: 66207 Country: US RegDate: 2009-07-21 Updated: 2014-03-05 Ref: http://whois.arin.net/rest/org/APHIN Normally, routers get a DNS server from your internet provider, and the router gives that data to your local computers asking for it via DHCP.
Next step is: Use http://www.router-backdoor.de/?lang=en to check if your router has the currently exploited vulnerability.
Port 32764 backdoor is not provided. That one intrusion possibility crossed of the list.
So, nothing is wrong, in the sense of virus or malware, but simply that your ISP is telling you to use a DNS that is probably overloaded. At least, it responds slowly. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Friday, April 11, 2014 02:37:21 PM Carlos E. R. wrote:
On 2014-04-11 12:56, C. Brouerius van Nidek wrote:
On Friday, April 11, 2014 10:53:17 AM Joachim Schrod wrote:
On 04/11/14 07:14, C. Brouerius van Nidek wrote:
On Thursday, April 10, 2014 10:22:44 PM Joachim Schrod wrote:
On 04/10/14 18:24, C. Brouerius van Nidek wrote:
Where do I find the changed suspicious DNS ? Anybody within reach with a basic understanding of Windows? The last Windows I worked with was the version 3.1.1.
Do you have a router that gives out IP addresses for your home network? [...]
Then the problematic DNS entry is handed out by your router. As Marcus and Andreas wrote, quite some routers (especially AVM Fritz-Boxes) recently had a serious vulnerability that is actively exploited.
The "suspect" /etc/resolv.conf had:
nameserver 68.168.98.196 nameserver 8.8.8.8
So, the suspect DNS server is "68.168.98.196" - but this DNS server works, although on one on my tries it timed out after giving a partial answer (try "time host -v google.com 68.168.98.196").
Whois gives this info about it:
OrgName: Codero OrgId: APHIN Address: 5750 W. 95th St., Suite 300 City: Overland Park StateProv: KS PostalCode: 66207 Country: US RegDate: 2009-07-21 Updated: 2014-03-05 Ref: http://whois.arin.net/rest/org/APHIN
Forgot the existance of whois. Do not use it regularly :(
Normally, routers get a DNS server from your internet provider, and the router gives that data to your local computers asking for it via DHCP.
Next step is: Use http://www.router-backdoor.de/?lang=en to check if your router has the currently exploited vulnerability.
Port 32764 backdoor is not provided. That one intrusion possibility crossed of the list.
So, nothing is wrong, in the sense of virus or malware, but simply that your ISP is telling you to use a DNS that is probably overloaded. At least, it responds slowly.
Thanks Carlos. Sounds good. But one small question remains. I get a DNS from my ISP. My ISP is in Indonesia so I would expect to get a DNS closer home. Or am I wrong there? At least, since I removed that nameserver address I have a well working computer back. -- Linux User 183145 using KDE4 and LXDE on a Pentium IV , powered by openSUSE 13.1 (i586) Kernel: 3.14.0-23.gfa168d7-default KDE Development Platform: 4.12.4 22:33pm up 0:08, 3 users, load average: 0.97, 3.02, 1.95 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-11 17:44, C. Brouerius van Nidek wrote:
On Friday, April 11, 2014 02:37:21 PM Carlos E. R. wrote:
Thanks Carlos. Sounds good. But one small question remains. I get a DNS from my ISP. My ISP is in Indonesia so I would expect to get a DNS closer home. Or am I wrong there?
Good question. So, lets check the geoipdatabase. http://ipinfodb.com/ip_locator.php says it is here: IP address : 68.168.98.196 Country : US State/Province : NEW HAMPSHIRE City : NEWPORT Zip or postal code : 03773 Latitude : 43.36535 Longitude : -72.17342 Weather : View Weather Timezone : -04:00 Local time : April 11 13:51:48 Hostname : 68-168-98-196.dedicated.codero.net I don't know if it is accurate or not.
At least, since I removed that nameserver address I have a well working computer back.
-- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Hello, On Fri, 11 Apr 2014, C. Brouerius van Nidek wrote:
So, the suspect DNS server is "68.168.98.196" - but this DNS server
It looks fishy though.
OrgName: Codero OrgId: APHIN Address: 5750 W. 95th St., Suite 300 City: Overland Park StateProv: KS PostalCode: 66207 Country: US RegDate: 2009-07-21 Updated: 2014-03-05 Ref: http://whois.arin.net/rest/org/APHIN
Forgot the existance of whois. Do not use it regularly :(
That seems to be a Hosting-Provider in the US, though it's website seems unreachable (neither a IP for codero.net nor www.codero.net is found) at their DNS-Server. But codero.com is available. $ traceroute 68.168.98.196 14 xe-1-0-0.mpr3.phx2.us.above.net (64.125.27.97) 160.416 ms 159.162 ms 159.997 ms 15 64.125.192.194.t00738-01.above.net (64.125.192.194) 159.161 ms 159.800 ms 162.699 ms 16 edge2_cr1.phx.codero.com (216.55.184.106) 161.887 ms 163.486 ms 164.611 ms Unable to look up 69.64.66.26: Temporary failure in name resolution 17 69.64.66.26 165.099 ms 164.472 ms 166.402 ms 18 68-168-98-196.dedicated.codero.net (68.168.98.196 That means (looking at codero.com), that the fishy-"DNS" in question seems to be a dedicated server hosted at codero.com/.net.
But one small question remains. I get a DNS from my ISP. My ISP is in Indonesia so I would expect to get a DNS closer home. Or am I wrong there?
Brouerius, your provider's DNS are these (assuming you use your provider's e-mail to mail here): $ dig ns indo.net.id [..] ;; ANSWER SECTION: indo.net.id. 21149 IN NS ns2.indo.net.id. indo.net.id. 21149 IN NS ns1.indo.net.id. indo.net.id. 21149 IN NS ns1.cbn.net.id. indo.net.id. 21149 IN NS ns2.cbn.net.id. indo.net.id. 21149 IN NS ns1.id $ for h in ns2.indo.net.id ns1.indo.net.id ns1.cbn.net.id ns2.cbn.neid ns1.id ; do nslookup $h | grep -A1 Name ; done Name: ns2.indo.net.id Address: 202.159.33.2 Name: ns1.indo.net.id Address: 202.159.32.2 Name: ns1.cbn.net.id Address: 202.158.20.1 Name: ns2.cbn.net.id Address: 202.158.40.1 Name: ns1.id Address: 202.155.30.227 Yes. It smells very fishy to me. HTH, -dnh -- A dog thinks: They feed me, they care for me, they caress me. They must be gods. A cat thinks: They feed me, they care for me, they caress me. I must be a god. -- Konni Scheller -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-11 20:01, David Haller wrote:
Yes. It smells very fishy to me.
What if the DHCP server is not the router, but a compromised windows machine? Wild hunch. Or some security practice, like parental control of some kind... often the DNS is changed. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Hello, On Sat, 12 Apr 2014, Carlos E. R. wrote:
On 2014-04-11 20:01, David Haller wrote:
Yes. It smells very fishy to me.
What if the DHCP server is not the router, but a compromised windows machine?
I've had no reason to suspect that that's the case at Brouerius from what I'd read here over the last years (and could recall ;) Read it as "compromised DHCP server", be it the router or whatnot. Anyway, that DNS-Server change, the more I think about it, the more it stinks. Actually, I think it's reinstall time and restore the data from scratch.
Or some security practice, like parental control of some kind... often the DNS is changed.
But not to a obviously overtaxed dedicated server at some random hosting-provider in the US. Or, if so, that "parental control" stinks and likely is a trojan or something rather similar. Come to think of it, that that pseudo-"DNS" is overtaxed might be due to a connection with attacks on XP Boxen fresh out of updates ... There were speculations bad guys held back exploits ... BTW: I do not use DHCP *PERIOD*[1] on static hosts. $ rpm -qa '*dhcp*' $ Yes, I broke those packages that claimed they need dhcpdc. Fuck'em. I don't use those anyway. ifconfig / ip work just fine without. No adverse effects[2]. I actually use my own scripts instead of ifup/ifdown, with static IPs (from a subset the router does not use for dhcp), but the ifup/ifdown with static IPs should work just fine as well. Not sure about what systemd breaks there though. That %$*@! seems to follow the Pinky & the Brain Motto (see non random sig)... -dnh [1] which reminds me to check that at my mom's who's using a stationary PC. For Laptops, it's more difficult. Personally I'd probably use also custom scripts, calling dhcpdc "manually" and using static (i.e. non dhcp-provided DNS-servers. And not those of google). Am I paranoid? Dunno. I think the question is if I'm paranoid enough??!? [2] except that if I do a 'zypper dup' I have to re-break those deps which tends to get tedious if you break and taboo as much as I do: $ zypper ll | wc -l 3755 -- Pinky: Gee, Brain, what do you want to do tonight? Brain: The same thing we do every night, Pinky - try to take over the world! -- sig courtesy of http://en.wikiquote.org/wiki/Pinky_and_the_Brain -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Friday, April 11, 2014 08:01:39 PM David Haller wrote:
Hello,
On Fri, 11 Apr 2014, C. Brouerius van Nidek wrote:
So, the suspect DNS server is "68.168.98.196" - but this DNS server
It looks fishy though.
OrgName: Codero OrgId: APHIN Address: 5750 W. 95th St., Suite 300 City: Overland Park StateProv: KS PostalCode: 66207 Country: US RegDate: 2009-07-21 Updated: 2014-03-05 Ref: http://whois.arin.net/rest/org/APHIN
Forgot the existance of whois. Do not use it regularly :(
That seems to be a Hosting-Provider in the US, though it's website seems unreachable (neither a IP for codero.net nor www.codero.net is found) at their DNS-Server. But codero.com is available.
$ traceroute 68.168.98.196 14 xe-1-0-0.mpr3.phx2.us.above.net (64.125.27.97) 160.416 ms 159.162 ms 159.997 ms 15 64.125.192.194.t00738-01.above.net (64.125.192.194) 159.161 ms 159.800 ms 162.699 ms 16 edge2_cr1.phx.codero.com (216.55.184.106) 161.887 ms 163.486 ms 164.611 ms Unable to look up 69.64.66.26: Temporary failure in name resolution 17 69.64.66.26 165.099 ms 164.472 ms 166.402 ms 18 68-168-98-196.dedicated.codero.net (68.168.98.196
That means (looking at codero.com), that the fishy-"DNS" in question seems to be a dedicated server hosted at codero.com/.net.
But one small question remains. I get a DNS from my ISP. My ISP is in Indonesia so I would expect to get a DNS closer home. Or am I wrong there?
Brouerius, your provider's DNS are these (assuming you use your provider's e-mail to mail here):
$ dig ns indo.net.id [..] ;; ANSWER SECTION: indo.net.id. 21149 IN NS ns2.indo.net.id. indo.net.id. 21149 IN NS ns1.indo.net.id. indo.net.id. 21149 IN NS ns1.cbn.net.id. indo.net.id. 21149 IN NS ns2.cbn.net.id. indo.net.id. 21149 IN NS ns1.id
$ for h in ns2.indo.net.id ns1.indo.net.id ns1.cbn.net.id ns2.cbn.neid ns1.id ; do nslookup $h | grep -A1 Name ; done Name: ns2.indo.net.id Address: 202.159.33.2 Name: ns1.indo.net.id Address: 202.159.32.2 Name: ns1.cbn.net.id Address: 202.158.20.1 Name: ns2.cbn.net.id Address: 202.158.40.1 Name: ns1.id Address: 202.155.30.227
The indo.net.id is my email address but I get my internet connection from telkom.net. My router was connected at 36.69.96.1 and after I reset the router is now 180.252.96.1. The first one pointing my geographical center in the province and the second pointing towards Jakarta, the capital. The first address showed up after are set done by a worker from telkom.net, the second done by me yesterday. Do not understand what this worker did different but do not care much. My home is some 60 km from Jakarta and some 90 km from Rankasbitung. Parental control is not common at my age (74) rofl. -- Linux User 183145 using KDE4 and LXDE on a Pentium IV , powered by openSUSE 13.1 (i586) Kernel: 3.14.0-23.gfa168d7-default KDE Development Platform: 4.12.4 12:38pm up 11:21, 3 users, load average: 0.73, 0.78, 1.09 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello Brouerius, On Sat, 12 Apr 2014, C. Brouerius van Nidek wrote:
On Friday, April 11, 2014 08:01:39 PM David Haller wrote:
On Fri, 11 Apr 2014, C. Brouerius van Nidek wrote:
So, the suspect DNS server is "68.168.98.196" - but this DNS server
It looks fishy though. [..] That seems to be a Hosting-Provider in the US, though it's website seems unreachable (neither a IP for codero.net nor www.codero.net is found) at their DNS-Server. But codero.com is available. [..]
But one small question remains. I get a DNS from my ISP. My ISP is in Indonesia so I would expect to get a DNS closer home. Or am I wrong there?
Brouerius, your provider's DNS are these (assuming you use your provider's e-mail to mail here):
$ dig ns indo.net.id [..] The indo.net.id is my email address but I get my internet connection from telkom.net.
$ dig ns telkom.net [..] telkom.net. 900 IN NS ns3.plasa.com. telkom.net. 900 IN NS ns1.plasa.com. telkom.net. 900 IN NS dns1.plasa.com. telkom.net. 900 IN NS dns2.plasa.com. $ for h in ns1.plasa.com ns2.plasa.com ns3.plasa.com \ dns1.plasa.com dns2.plasa.com dns3.plasa.com ; do \ nslookup $h | grep -A1 Name ; done Name: ns1.plasa.com Address: 203.130.196.6 Name: ns2.plasa.com Address: 203.130.193.75 Name: ns3.plasa.com Address: 202.134.1.5 Name: dns1.plasa.com Address: 202.134.0.62 Name: dns2.plasa.com Address: 222.124.18.62 No sign of that rogue DNS at codero. So, again: that DNS hosted at codero is to be considered a rogue and (at least) compromised. Use 2-3 of those _hardcoded_ in your /etc/resolv.conf. Use 1-2 reliable, free (non google) others as fallback. Use e.g. FS-Attributes (man chattr) along with chmod 444 or so. E.g. chmod 444 /etc/resolv.conf chattr +i /etc/resolv.conf (no, I don't do that, but I don't do DHCP)
My router was connected at 36.69.96.1 and after I reset the router is now 180.252.96.1. The first one pointing my geographical center in the province and the second pointing towards Jakarta, the capital.
You can look up with "whois" what IPv4 (v6? different query? AAAA?) ranges are allocated to whom.
The first address showed up after are set done by a worker from telkom.net, the second done by me yesterday. Do not understand what this worker did different but do not care much. My home is some 60 km from Jakarta and some 90 km from Rankasbitung.
It's probably just a different IP from a pool of dynamic IPs from ranges which are a bit more fragmented that usual in the US or the EU. What matters, is who that IP is allocated to. And both above IPs (36.69.96.1, 180.252.96.1) are allocated to PT. Telekomunikasi Indonesia so, that works out ok. Use "whois" (all output shortened): $ whois 36.69.96.1 inetnum: 36.69.96.0 - 36.69.111.255 netname: TLKM_BB_SERVICE_36_69_DIVRE1-2 descr: PT TELKOM INDONESIA admin-c: AR165-AP $ whois 180.252.96.1 inetnum: 180.252.64.0 - 180.252.127.255 netname: TLKM_BB_SERVICE_180_252_DIVRE2 descr: PT TELKOM INDONESIA admin-c: AR165-AP Use those commands for more info ;) As you can see, telkom.net.id seems to be using some rather fragmented IPv4 ("leftover") ranges. Nothing wrong with that! Not every telco got one or more contiguous /8. What does make me wonder though: how did google get 8.8.8.8 etc. as they entered the game (of getting IPv4s) rather late). Hm, according to whois, it seems I'd have to read up on "Level 3 Comm.. Inc" that has apparently got 8.0.0.0/8 at some point. As I was saying. Early on, IPs were given out quite freely. A whole /8? Wow! Must have been in the earlyish 90ies ... or earlier when Level3 got that range.
Parental control is not common at my age (74) rofl.
It is discussed here (DE/EU?) to make a filter obligatory! *GAH* I can not eat as much as I have to puke. -dnh -- RAID: One more disk fails than can be recovered by the redundancy. -- Andreas Dau -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-12 10:06, David Haller wrote:
Hello Brouerius,
Use 2-3 of those _hardcoded_ in your /etc/resolv.conf. Use 1-2 reliable, free (non google) others as fallback. Use e.g. FS-Attributes (man chattr) along with chmod 444 or so. E.g.
chmod 444 /etc/resolv.conf chattr +i /etc/resolv.conf
(no, I don't do that, but I don't do DHCP)
No need to do that. If you use networkmanager with dhcp, you can easily tell it to use a DNS of your choice. With traditional ifup/yast method, I don't remember, but try. Much better than fiddling with those permissions, and will be respected by updates and upgrades. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 04/12/2014 09:05 AM, C. Brouerius van Nidek wrote:
Parental control is not common at my age (74) rofl.
- & mine is 77 .............. - running oS 13.1 tumbleweed, i see in my /etc/resolv.conf : ________________ nameserver 192.168.1.254 ___________________ - this nameserver was not put there by myself : how it got there i know not !! ............. regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/04/14 18:55, ellanios82 wrote:
On 04/12/2014 09:05 AM, C. Brouerius van Nidek wrote:
Parental control is not common at my age (74) rofl.
- & mine is 77
..............
- running oS 13.1 tumbleweed, i see in my /etc/resolv.conf : ________________
nameserver 192.168.1.254
___________________
- this nameserver was not put there by myself : how it got there i know not !!
dhcp put it there
.............
regards
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Andreas Seeg -
C. Brouerius van Nidek -
Carlos E. R. -
David Haller -
Dylan -
ellanios82 -
Joachim Schrod -
Marcus Meissner