From shaun at moransdomain.com Wed Jul 11 17:47:07 2012 From: shaun at moransdomain.com (Shaun Moran) Date: Thu, 12 Jul 2012 10:47:07 +1000 Subject: [Netalyzr] Chinese DNS servers in my results? Message-ID: Hi - noticed something strange and concerning about my results from netalyzr - two extra DNS servers which are based in china (203.15.156.237 and 203.15.156.238) My Netalyzr results are at: http://n3.netalyzr.icsi.berkeley.edu/restore/id=ae81b058-5090-364c463d-cf08-4363-9e95/rd The Windows 7 PC is configured for get DNS servers from DHCP server - the DHCP scope only has the three local DNS servers (192.168.200.x). IPconfig/all only shows the three servers at 192.168.200.x and checking the adapter settings confirms they are set for DHCP. No additional DNS server entries are in the local hosts file and doing a full virus/rootkit scan found no malware. When I do a Wireshark capture of DNS packets the only DNS requests I see for these two DNS servers are for DNS A queries for server.u413.n3.netalyzr.icsi.berkeley.edu. The Netalyzer client traffic shows it finding these extra DNS servers. Just browsing normal websites (eg: ford.com, apple.com, etc) shows no DNS requests to these chinese servers. It only happens (briefly) when running Netalyzr... I'm at a loss as to where these are coming from. It sounds like a PC infection but I cant find any evidence on this. Running Netalyzer at other machines at this location do not show the extra 2 chinese DNS servers - just this one machine. Any ideas/suggestions? Have got a Wireshark capture of all DNS traffic if needed. Thanks - Shaun 177.353 main| dnsDirectIcsi=True 177.353 main| dnsDirectIpv6=True 177.353 main| dnsDirectNxdomain= 177.353 main| dnsDirectRecursiveOnly=False 177.353 main| dnsDirectText=True 177.353 main| dnsLargePackets=True 177.353 main| dnsMediumPackets=True 177.353 main| dnsPracticalMTU=4000 177.353 main| dnsRawTCPStatus=reply 177.353 main| dnsResolver1IP=203.15.156.237 177.353 main| dnsResolver1Live=False 177.353 main| dnsResolver2IP=203.15.156.238 177.353 main| dnsResolver2Live=False 177.353 main| dnsResolver3Authors= 177.353 main| dnsResolver3Copyright= 177.353 main| dnsResolver3DNSSECValidation=False 177.353 main| dnsResolver3Edns=True 177.353 main| dnsResolver3Facebook=69.171.234.21 177.353 main| dnsResolver3Hostname= 177.353 main| dnsResolver3IP=192.168.200.11 177.353 main| dnsResolver3Icsi=True 177.353 main| dnsResolver3Ipv6=True 177.353 main| dnsResolver3Live=True 177.353 main| dnsResolver3Nxdomain= 177.353 main| dnsResolver3RootFacebook= 177.353 main| dnsResolver3Text=True 177.353 main| dnsResolver3TextLarge=False 177.353 main| dnsResolver3TextLargeEDNS=True 177.353 main| dnsResolver3TextMedium=False 177.353 main| dnsResolver3Version=Microsoft+DNS+6.1.7600+%281DB04228%29 177.353 main| dnsResolver4Authors= 177.353 main| dnsResolver4Copyright= 177.353 main| dnsResolver4DNSSECValidation=False 177.353 main| dnsResolver4Edns=True 177.353 main| dnsResolver4Facebook=69.171.234.21 177.353 main| dnsResolver4Hostname= 177.353 main| dnsResolver4IP=192.168.200.12 177.353 main| dnsResolver4Icsi=True 177.353 main| dnsResolver4Ipv6=True 177.353 main| dnsResolver4Live=True 177.353 main| dnsResolver4Nxdomain= 177.353 main| dnsResolver4RootFacebook= 177.353 main| dnsResolver4Text=True 177.353 main| dnsResolver4TextLarge=False 177.353 main| dnsResolver4TextLargeEDNS=True 177.353 main| dnsResolver4TextMedium=False 177.353 main| dnsResolver4Version=Microsoft+DNS+6.1.7600+%281DB04228%29 177.353 main| dnsResolver5Authors= 177.353 main| dnsResolver5Copyright= 177.353 main| dnsResolver5DNSSECValidation=False 177.353 main| dnsResolver5Edns=True 177.353 main| dnsResolver5Facebook=69.171.234.21 177.353 main| dnsResolver5Hostname= 177.353 main| dnsResolver5IP=192.168.200.20 177.353 main| dnsResolver5Icsi=True 177.353 main| dnsResolver5Ipv6=True 177.353 main| dnsResolver5Live=True 177.353 main| dnsResolver5Nxdomain= 177.353 main| dnsResolver5RootFacebook= 177.353 main| dnsResolver5Text=True 177.353 main| dnsResolver5TextLarge=False 177.353 main| dnsResolver5TextLargeEDNS=True 177.353 main| dnsResolver5TextMedium=False 177.353 main| dnsResolver5Version=Microsoft+DNS+6.1.7600+%281DB04228%29 177.353 main| dnsRootAFacebook= 177.353 main| dnsRootAHostname=ans18-lax2 177.353 main| dnsRootAIP=198.41.0.4 177.353 main| dnsRootALive=True 177.353 main| dnsRootANxdomain= 177.353 main| dnsRootBFacebook= 177.353 main| dnsRootBHostname=b4 177.353 main| dnsRootBIP=192.228.79.201 177.353 main| dnsRootBLive=True 177.353 main| dnsRootBNxdomain= 177.353 main| dnsRootCFacebook= 177.353 main| dnsRootCHostname=lax1b.c.root-servers.org 177.353 main| dnsRootCIP=192.33.4.12 177.353 main| dnsRootCLive=True 177.353 main| dnsRootCNxdomain= 177.353 main| dnsRootDFacebook= 177.353 main| dnsRootDHostname=css-d.net.umd.edu 177.353 main| dnsRootDIP=128.8.10.90 177.353 main| dnsRootDLive=True 177.353 main| dnsRootDNxdomain= 177.353 main| dnsRootEFacebook= 177.353 main| dnsRootEHostname=e-01.syd.pch.net 177.353 main| dnsRootEIP=192.203.230.10 177.353 main| dnsRootELive=True 177.353 main| dnsRootENxdomain= 177.353 main| dnsRootFFacebook= 177.353 main| dnsRootFHostname=bne1b.f.root-servers.org 177.353 main| dnsRootFIP=192.5.5.241 177.353 main| dnsRootFLive=True 177.353 main| dnsRootFNxdomain= 177.353 main| dnsRootGFacebook= 177.353 main| dnsRootGHostname=g.root-servers-pac2-1.net 177.353 main| dnsRootGIP=192.112.36.4 177.353 main| dnsRootGLive=True 177.353 main| dnsRootGNxdomain= 177.353 main| dnsRootHFacebook= 177.353 main| dnsRootHHostname=H3 177.353 main| dnsRootHIP=128.63.2.53 177.353 main| dnsRootHLive=True 177.353 main| dnsRootHNxdomain= 177.353 main| dnsRootIFacebook= 177.353 main| dnsRootIHostname=s1.prt 177.353 main| dnsRootIIP=192.36.148.17 177.353 main| dnsRootILive=True 177.353 main| dnsRootINxdomain= 177.353 main| dnsRootJFacebook= 177.353 main| dnsRootJHostname=jluepe1-elsyd1 177.353 main| dnsRootJIP=192.58.128.30 177.353 main| dnsRootJLive=True 177.353 main| dnsRootJNxdomain= 177.353 main| dnsRootKFacebook= 177.353 main| dnsRootKHostname=k2.tokyo.k.ripe.net 177.353 main| dnsRootKIP=193.0.14.129 177.353 main| dnsRootKLive=True 177.353 main| dnsRootKNxdomain= 177.353 main| dnsRootLFacebook= 177.353 main| dnsRootLHostname=bne01.l.root-servers.org 177.353 main| dnsRootLIP=199.7.83.42 177.353 main| dnsRootLLive=True 177.353 main| dnsRootLNxdomain= 177.353 main| dnsRootMFacebook= 177.353 main| dnsRootMHostname=M-NRT-JPIX-1 177.353 main| dnsRootMIP=202.12.27.33 177.353 main| dnsRootMLive=True 177.353 main| dnsRootMNxdomain= 177.353 main| dnsServerV6Support=True 177.353 main| dnsSmallPackets=True 177.353 main| dnsTCPStatus=tcp -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20120712/7eb8ea3a/attachment.html From ginham at sbcglobal.net Mon Jul 16 10:32:52 2012 From: ginham at sbcglobal.net (Virgina Hamilton) Date: Mon, 16 Jul 2012 10:32:52 -0700 (PDT) Subject: [Netalyzr] (no subject) Message-ID: <1342459972.11420.YahooMailNeo@web82604.mail.mud.yahoo.com> http://boysbeddingsets.org/wp-admin/mnews.php?growth225.jpeg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20120716/899ad9c2/attachment.html From christian at icir.org Tue Jul 17 11:20:06 2012 From: christian at icir.org (Christian Kreibich) Date: Tue, 17 Jul 2012 11:20:06 -0700 Subject: [Netalyzr] surprise info In-Reply-To: <1340979606.76865.YahooMailNeo@web82607.mail.mud.yahoo.com> References: <1340979606.76865.YahooMailNeo@web82607.mail.mud.yahoo.com> Message-ID: <5005ACD6.3080704@icir.org> Apologies for the spam, everyone. We've banned the sender. Best, Christian