From maciej at soltysiak.com Thu Jun 14 11:26:54 2012 From: maciej at soltysiak.com (Maciej Soltysiak) Date: Thu, 14 Jun 2012 20:26:54 +0200 Subject: [Netalyzr] =?utf-8?q?DNS_redirected_to_third-part=E2=80=8By_serve?= =?utf-8?b?cnM6IHd3dy5nb29nbGXigIsuY29t?= Message-ID: Hi, My netalyzr runs recently start to show that my ISP redirects www.google.comto 3rd party. I would like to make sure it's me or my ISP and not something changed in google CDN or Netalyzr so could anyone else verify if you are getting similar results, please? My run is here: http://n1.netalyzr.icsi.berkeley.edu/summary/id=43ca253f-21386-3947730d-5148-4bce-9140#DNSLookup The IPs that get resolved are: 46.28.247.113 46.28.247.118 Possible reasons: - DNS issues on my home router, which has a bit experimental software (cerowrt from bufferbloat.net), but it didn't show before on same firmware. - Ongoing cache poisoning attack. My ISP DNS is 62.21.99.95 - this might be if google is using another pool for CDN then it's a false positive. -- I'm located in Poznan, Poland, (Europe) Best regards, Maciej Soltysiak -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20120614/253a4ebf/attachment.html From nweaver at ICSI.Berkeley.EDU Thu Jun 14 11:32:35 2012 From: nweaver at ICSI.Berkeley.EDU (Nicholas Weaver) Date: Thu, 14 Jun 2012 11:32:35 -0700 Subject: [Netalyzr] =?utf-8?q?DNS_redirected_to_third-part=E2=80=8By_serve?= =?utf-8?b?cnM6IHd3dy5nb29nbGXigIsuY29t?= In-Reply-To: References: Message-ID: <14FBFB07-6992-495C-8D3B-C6B540306FCB@icsi.berkeley.edu> I think this may be a false positive: The systems respond like standard Google servers, both in normal communication and in errors (previous situations where this occured had the servers respond differently to errors than legitimate Google servers). So it could be Google has added some new servers in Poland, but not updated the reverse DNS. I will contact a friend at google to confirm... However, if you want to be extra sure, you can switch to Google Public DNS (8.8.8.8 and 8.8.4.4 On Jun 14, 2012, at 11:26 AM, Maciej Soltysiak wrote: > Hi, > > My netalyzr runs recently start to show that my ISP redirects www.google.com to 3rd party. > I would like to make sure it's me or my ISP and not something changed in google CDN or Netalyzr so could anyone else verify if you are getting similar results, please? > My run is here: > http://n1.netalyzr.icsi.berkeley.edu/summary/id=43ca253f-21386-3947730d-5148-4bce-9140#DNSLookup > > The IPs that get resolved are: > 46.28.247.113 > 46.28.247.118 > > Possible reasons: > - DNS issues on my home router, which has a bit experimental software (cerowrt from bufferbloat.net), but it didn't show before on same firmware. > - Ongoing cache poisoning attack. My ISP DNS is 62.21.99.95 > - this might be if google is using another pool for CDN then it's a false positive. -- I'm located in Poznan, Poland, (Europe) > > Best regards, > Maciej Soltysiak > > _______________________________________________ > Netalyzr mailing list > Netalyzr at mailman.ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr From jg at freedesktop.org Thu Jun 14 12:33:28 2012 From: jg at freedesktop.org (Jim Gettys) Date: Thu, 14 Jun 2012 15:33:28 -0400 Subject: [Netalyzr] =?utf-8?q?DNS_redirected_to_third-part=E2=80=8By_serve?= =?utf-8?b?cnM6IHd3dy5nb29nbGXigIsuY29t?= In-Reply-To: <14FBFB07-6992-495C-8D3B-C6B540306FCB@icsi.berkeley.edu> References: <14FBFB07-6992-495C-8D3B-C6B540306FCB@icsi.berkeley.edu> Message-ID: <4FDA3C88.1010800@freedesktop.org> On 06/14/2012 02:32 PM, Nicholas Weaver wrote: > I think this may be a false positive: > > The systems respond like standard Google servers, both in normal communication and in errors (previous situations where this occured had the servers respond differently to errors than legitimate Google servers). So it could be Google has added some new servers in Poland, but not updated the reverse DNS. I will contact a friend at google to confirm... DNSchanger? Remember, that malware attacks your home router as well as your hosts.... - Jim > > However, if you want to be extra sure, you can switch to Google Public DNS (8.8.8.8 and 8.8.4.4 > > > On Jun 14, 2012, at 11:26 AM, Maciej Soltysiak wrote: > >> Hi, >> >> My netalyzr runs recently start to show that my ISP redirects www.google.com to 3rd party. >> I would like to make sure it's me or my ISP and not something changed in google CDN or Netalyzr so could anyone else verify if you are getting similar results, please? >> My run is here: >> http://n1.netalyzr.icsi.berkeley.edu/summary/id=43ca253f-21386-3947730d-5148-4bce-9140#DNSLookup >> >> The IPs that get resolved are: >> 46.28.247.113 >> 46.28.247.118 >> >> Possible reasons: >> - DNS issues on my home router, which has a bit experimental software (cerowrt from bufferbloat.net), but it didn't show before on same firmware. >> - Ongoing cache poisoning attack. My ISP DNS is 62.21.99.95 >> - this might be if google is using another pool for CDN then it's a false positive. -- I'm located in Poznan, Poland, (Europe) >> >> Best regards, >> Maciej Soltysiak >> >> _______________________________________________ >> Netalyzr mailing list >> Netalyzr at mailman.ICSI.Berkeley.EDU >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr > > _______________________________________________ > Netalyzr mailing list > Netalyzr at mailman.ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr From maciej at soltysiak.com Thu Jun 14 12:40:57 2012 From: maciej at soltysiak.com (Maciej Soltysiak) Date: Thu, 14 Jun 2012 21:40:57 +0200 Subject: [Netalyzr] =?utf-8?q?DNS_redirected_to_third-part=E2=80=8By_serve?= =?utf-8?b?cnM6IHd3dy5nb29nbGXigIsuY29t?= In-Reply-To: <4FDA3C88.1010800@freedesktop.org> References: <14FBFB07-6992-495C-8D3B-C6B540306FCB@icsi.berkeley.edu> <4FDA3C88.1010800@freedesktop.org> Message-ID: Hi Jim, My router is latest cerowrt-3.3.8-3, installed about an hour after it hit the ftp site. I doubt it could got infected so fast. Anyway, when I initially directly asked 8.8.8.8 for www.google.com it never responded with the 42.x.y.z addresses, but some other ones. Now, after some time, it does as well, so I'm feeling calm now. Thanks, Maciej On Thu, Jun 14, 2012 at 9:33 PM, Jim Gettys wrote: > On 06/14/2012 02:32 PM, Nicholas Weaver wrote: > > I think this may be a false positive: > > > > The systems respond like standard Google servers, both in normal > communication and in errors (previous situations where this occured had the > servers respond differently to errors than legitimate Google servers). So > it could be Google has added some new servers in Poland, but not updated > the reverse DNS. I will contact a friend at google to confirm... > > DNSchanger? Remember, that malware attacks your home router as well as > your hosts.... > - Jim > > > > > However, if you want to be extra sure, you can switch to Google Public > DNS (8.8.8.8 and 8.8.4.4 > > > > > > On Jun 14, 2012, at 11:26 AM, Maciej Soltysiak wrote: > > > >> Hi, > >> > >> My netalyzr runs recently start to show that my ISP redirects > www.google.com to 3rd party. > >> I would like to make sure it's me or my ISP and not something changed > in google CDN or Netalyzr so could anyone else verify if you are getting > similar results, please? > >> My run is here: > >> > http://n1.netalyzr.icsi.berkeley.edu/summary/id=43ca253f-21386-3947730d-5148-4bce-9140#DNSLookup > >> > >> The IPs that get resolved are: > >> 46.28.247.113 > >> 46.28.247.118 > >> > >> Possible reasons: > >> - DNS issues on my home router, which has a bit experimental software > (cerowrt from bufferbloat.net), but it didn't show before on same > firmware. > >> - Ongoing cache poisoning attack. My ISP DNS is 62.21.99.95 > >> - this might be if google is using another pool for CDN then it's a > false positive. -- I'm located in Poznan, Poland, (Europe) > >> > >> Best regards, > >> Maciej Soltysiak > >> > >> _______________________________________________ > >> Netalyzr mailing list > >> Netalyzr at mailman.ICSI.Berkeley.EDU > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr > > > > _______________________________________________ > > Netalyzr mailing list > > Netalyzr at mailman.ICSI.Berkeley.EDU > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20120614/64b87aa6/attachment.html From jg at freedesktop.org Thu Jun 14 12:47:10 2012 From: jg at freedesktop.org (Jim Gettys) Date: Thu, 14 Jun 2012 15:47:10 -0400 Subject: [Netalyzr] =?utf-8?q?DNS_redirected_to_third-part=E2=80=8By_serve?= =?utf-8?b?cnM6IHd3dy5nb29nbGXigIsuY29t?= In-Reply-To: References: <14FBFB07-6992-495C-8D3B-C6B540306FCB@icsi.berkeley.edu> <4FDA3C88.1010800@freedesktop.org> Message-ID: <4FDA3FBE.4040306@freedesktop.org> On 06/14/2012 03:40 PM, Maciej Soltysiak wrote: > Hi Jim, > > My router is latest cerowrt-3.3.8-3, installed about an hour after it > hit the ftp site. > I doubt it could got infected so fast. Nor is the CeroWrt default password in their list, I would guess. > > Anyway, when I initially directly asked 8.8.8.8 for www.google.com > it never responded with the 42.x.y.z > addresses, but some other ones. Now, after some time, it does as > well, so I'm feeling calm now. Yeah, I like the Comcast DNS servers best (since they are closest, have great performance and implement DNSSEC); when I can't get them, I use Google. - Jim > > Thanks, > Maciej > > > > On Thu, Jun 14, 2012 at 9:33 PM, Jim Gettys > wrote: > > On 06/14/2012 02:32 PM, Nicholas Weaver wrote: > > I think this may be a false positive: > > > > The systems respond like standard Google servers, both in normal > communication and in errors (previous situations where this > occured had the servers respond differently to errors than > legitimate Google servers). So it could be Google has added some > new servers in Poland, but not updated the reverse DNS. I will > contact a friend at google to confirm... > > DNSchanger? Remember, that malware attacks your home router as > well as > your hosts.... > - Jim > > > > > However, if you want to be extra sure, you can switch to Google > Public DNS (8.8.8.8 and 8.8.4.4 > > > > > > On Jun 14, 2012, at 11:26 AM, Maciej Soltysiak wrote: > > > >> Hi, > >> > >> My netalyzr runs recently start to show that my ISP redirects > www.google.com to 3rd party. > >> I would like to make sure it's me or my ISP and not something > changed in google CDN or Netalyzr so could anyone else verify if > you are getting similar results, please? > >> My run is here: > >> > http://n1.netalyzr.icsi.berkeley.edu/summary/id=43ca253f-21386-3947730d-5148-4bce-9140#DNSLookup > >> > >> The IPs that get resolved are: > >> 46.28.247.113 > >> 46.28.247.118 > >> > >> Possible reasons: > >> - DNS issues on my home router, which has a bit experimental > software (cerowrt from bufferbloat.net ), > but it didn't show before on same firmware. > >> - Ongoing cache poisoning attack. My ISP DNS is 62.21.99.95 > >> - this might be if google is using another pool for CDN then > it's a false positive. -- I'm located in Poznan, Poland, (Europe) > >> > >> Best regards, > >> Maciej Soltysiak > >> > >> _______________________________________________ > >> Netalyzr mailing list > >> Netalyzr at mailman.ICSI.Berkeley.EDU > > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr > > > > _______________________________________________ > > Netalyzr mailing list > > Netalyzr at mailman.ICSI.Berkeley.EDU > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr > > From nweaver at ICSI.Berkeley.EDU Thu Jun 14 13:27:48 2012 From: nweaver at ICSI.Berkeley.EDU (Nicholas Weaver) Date: Thu, 14 Jun 2012 13:27:48 -0700 Subject: [Netalyzr] =?utf-8?q?DNS_redirected_to_third-part=E2=80=8By_serve?= =?utf-8?b?cnM6IHd3dy5nb29nbGXigIsuY29t?= In-Reply-To: <4FDA3FBE.4040306@freedesktop.org> References: <14FBFB07-6992-495C-8D3B-C6B540306FCB@icsi.berkeley.edu> <4FDA3C88.1010800@freedesktop.org> <4FDA3FBE.4040306@freedesktop.org> Message-ID: I confirmed with a colleague at Google: It was a false positive, that address is a legitimate Google server. DNSchanger, at least the famous attack along those lines, did not change Google but changed google analytics (www.google-analytics.com) and Doubleclick (ad.doubleclick.net) in order to inject advertisements. From maciej at soltysiak.com Thu Jun 14 13:51:17 2012 From: maciej at soltysiak.com (Maciej Soltysiak) Date: Thu, 14 Jun 2012 22:51:17 +0200 Subject: [Netalyzr] =?utf-8?q?DNS_redirected_to_third-part=E2=80=8By_serve?= =?utf-8?b?cnM6IHd3dy5nb29nbGXigIsuY29t?= In-Reply-To: References: <14FBFB07-6992-495C-8D3B-C6B540306FCB@icsi.berkeley.edu> <4FDA3C88.1010800@freedesktop.org> <4FDA3FBE.4040306@freedesktop.org> Message-ID: Sorted then! Cheers! Maciej On Thu, Jun 14, 2012 at 10:27 PM, Nicholas Weaver wrote: > I confirmed with a colleague at Google: It was a false positive, that > address is a legitimate Google server. > > > DNSchanger, at least the famous attack along those lines, did not change > Google but changed google analytics (www.google-analytics.com) and > Doubleclick (ad.doubleclick.net) in order to inject advertisements. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20120614/c308b05a/attachment.html From ginham at sbcglobal.net Fri Jun 29 07:20:06 2012 From: ginham at sbcglobal.net (Virgina Hamilton) Date: Fri, 29 Jun 2012 07:20:06 -0700 (PDT) Subject: [Netalyzr] surprise info Message-ID: <1340979606.76865.YahooMailNeo@web82607.mail.mud.yahoo.com> http://lightless.in/wordpress/wp-content/themes/shiword/borober.htm -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20120629/3adb841d/attachment.html