Anyone heard of this? What is it? (when Google was briefly working it wasn't too forthcoming)

 

Fiona reported that web pages were being redirected to superxtracker7.com. My first thought was a trojan on her pooter, since the only time security updates get installed is when I do it (which requires her fat arse not to be in front of it).

 

But I'm having the same problem with some (not all) pages, which are defaulting to superxtracker7.com (http://superxtracker7.com/cgi-bin/exmo.cgi/31/3725:E:17527030) via www4.amycrec.info.

 

All seems a bit dodgy, but teh seems unaffected. Oddness?

 

 

Check hosts file. Sounds very dodgy though. Get updated and scanned.

Is that a MAC or Windows PC? I know you use a Mac right? Have you checked to make sure you don't have that new thing going around?

 

I've had some strange things going on with my kids computers this week too, my daughter infected two very nicely with rootkits and trojans.

 

*And if it is Windows, get Malewarebytes and do a scan. It's funny, my AV will say things are fine and I'll run malewarebytes and it will kick things up and my AV will finally see them. I don't trust any AV software anymore!

Thank you both.

 

Ant, I'm not sure what the hosts file on a Mac is called. It doesn't appear to be 'hosts' though.

 

Ken, no I've checked for that recent trojan already, and it's not a problem.

 

Curiouser and curiouser, I have the same problem with the iPod Touch and the MBA which hasn't been used for weeks. All of which makes it more likely that this is a problem with the router or downstream.

Which happens to be a Netgear FVS318v3 BTW

The hosts file is in /etc/hosts but some OSs place that within some other directory.

On Windows, it's in %WINDIR%/system32/drivers/etc/hosts

On MacOS X, it's in /private/etc/hosts (according to the first result in a Google Search).


It might also be that her machine is going via a proxy (check browser/network settings), or any other machine between her and her ISP (check your WiFi router if you have one - maybe you left it with the default password).

Thanks Peter. Found local on my Mac (which is also 'affected') and nothing odd there. The router password is not the default, and is relatively strong. Given that this is affecting all computers here, and the iPod Touch, I'm thinking that this is a problem with the ISP.

 

I tried pinging a range of domains, and with few exceptions the same result was returned: 204.8.136.10 which resolves to ns1.jellydigital.com. I've never heard of them.

 

I've just tried ping again, and now those domains are giving me different IP addresses. And most addresses are being properly resolved to the correct web sites. The ones that aren't seem to have been hijacked by those sons of fun at banginyourcity.com (yes, tediously enough, it's a porn portal).

 

 

Hmmmz. The older superxtracker7.com site loaded up a 404 page through a broken CGI. bang...city appears to load via amycrec.info and
superxtracker7.com, presumably the CGI has been 'fixed' and this is what I've been supposed to see all along. How gay.

Yep. And now apple.com, microsoft.com, yahoo.com, canon.com all resolve to 204.8.136.10.

Can anyone help with this, what's happening?

traceroute to 204.8.136.10 (204.8.136.10), 64 hops max, 52 byte packets
 1  83.76.3.103 (83.76.3.103)  2.981 ms  3.153 ms  3.051 ms
 2  83.76.0.1 (83.76.0.1)  14.900 ms  16.700 ms  14.596 ms
 3  213.3.247.178 (213.3.247.178)  15.966 ms  17.235 ms  14.789 ms
 4  213.3.247.177 (213.3.247.177)  14.921 ms  12.274 ms  15.420 ms
 5  195.186.0.178 (195.186.0.178)  20.008 ms  17.966 ms  16.233 ms
 6  138.187.159.0 (138.187.159.0)  107.743 ms  101.945 ms  103.742 ms
 7  138.187.159.13 (138.187.159.13)  173.999 ms  175.283 ms  171.966 ms
 8  198.32.175.111 (198.32.175.111)  166.600 ms  168.452 ms  169.310 ms
 9  66.192.253.46 (66.192.253.46)  183.462 ms  183.332 ms  180.156 ms
10  204.8.136.254 (204.8.136.254)  177.788 ms  183.243 ms  179.285 ms
11  ns1.jellydigital.net (204.8.136.10)  180.144 ms  182.087 ms  180.055 ms
 

And now web addresses resolve to that broken CGI again, no more bang...city.

 

These fucking sleazoids should be garrotted.

Any chance the router has been hacked? What's the dns?

Edit: This redirect trojan came to light this past week.

It's not impossible, it would certainly explain why all devices are similarly affected. How could I find out?

I've seen a lot of activity from 93.184.220.20 (ns1.edgecastcdn.net) to 83.76.3.103 (no idea what that is)

Sat, 2012-04-07 18:58:53 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58377 from WAN]
Sat, 2012-04-07 18:58:53 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58368 from WAN]
Sat, 2012-04-07 18:58:57 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58379 from WAN]
Sat, 2012-04-07 18:58:57 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58378 from WAN]
Sat, 2012-04-07 18:58:57 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58377 from WAN]
Sat, 2012-04-07 18:58:57 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58368 from WAN]
Sat, 2012-04-07 18:59:05 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58379 from WAN]
Sat, 2012-04-07 18:59:05 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58378 from WAN]
Sat, 2012-04-07 18:59:05 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58377 from WAN]
Sat, 2012-04-07 18:59:05 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58368 from WAN]
Sat, 2012-04-07 18:59:39 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58417 from WAN]
Sat, 2012-04-07 18:59:39 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58416 from WAN]
Sat, 2012-04-07 18:59:39 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58414 from WAN]
Sat, 2012-04-07 18:59:39 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58413 from WAN]
Sat, 2012-04-07 18:59:39 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58412 from WAN]
Sat, 2012-04-07 18:59:40 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58417 from WAN]
Sat, 2012-04-07 18:59:40 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58416 from WAN]
Sat, 2012-04-07 18:59:40 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58414 from WAN]
Sat, 2012-04-07 18:59:40 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58413 from WAN]
Sat, 2012-04-07 18:59:40 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58412 from WAN]
Sat, 2012-04-07 18:59:42 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58417 from WAN]
Sat, 2012-04-07 18:59:42 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58416 from WAN]
Sat, 2012-04-07 18:59:42 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58414 from WAN]
Sat, 2012-04-07 18:59:42 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58413 from WAN]
Sat, 2012-04-07 18:59:42 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58412 from WAN]
Sat, 2012-04-07 18:59:46 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58417 from WAN]
Sat, 2012-04-07 18:59:46 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58416 from WAN]
Sat, 2012-04-07 18:59:46 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58414 from WAN]
Sat, 2012-04-07 18:59:46 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58413 from WAN]
Sat, 2012-04-07 18:59:46 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58412 from WAN]
Sat, 2012-04-07 18:59:54 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58417 from WAN]
Sat, 2012-04-07 18:59:54 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number receive

…[Message Truncated] View full message.

>How could I find out

 

I'm not familiar with that router, but if it's anything like ones I've had (and have) with a built-in DHCP server, there should be a web admin you can log onto and set stuff such as primary dns, mac addresses (of physical devices that are allowed to connect), whether to allow remote access etc.

 

 

 

 

I was going to suggest a DNS hack straight away, I've seen this before. Take a look at the router settings, and try to find out what DNS servers your ISP actually uses.

 

Is there a Windows machine that's infected? This might explain why it would affect any other OS's on the same LAN segment as well: http://forums.macrumors.com/showthread.php?t=1214882

 

See what's in your resolv.conf like this:
cat /etc/resolv.conf

 

If it's not your ISP's DNS server, you've been hacked. The link above shows one way of finding out which machine is poisoning your LAN, unless you can figure it out yourself easily. Make sure the router hasn't got a standard password, and turn off uPnP on the router if it's an option (it's useful, but sometimes more dangerous than it's worth).

Also, this: http://www.bbc.co.uk/news/science-environment-17623422

Dude...

It has to be a DNS hack on his router /or/ the ISP is fucked up. There isn't any other explanation for all the machines on the network acting the same.

I'd try to switch my name servers to googles or opendns's and see what happens. Or actually make sure you're using the ISP's, and if you are switching because something is very wrong with them.

I think you may be right, but I don't know how/why.

 

The DNS on mu router was set to 213.230.203.212 and 65.98.72.34. I seem to recall having to input DNS servers when setting up the connection to the ISP, but whether or not these were the IP addresses is anyone's guess. I changed the DNS option to getting them automatically from the ISP, and all seems to be working now.

 

But, if it was a DNS hack on my router, I have no idea how it was achieved. uPNP, remote access, and all external connections are disabled. The default, and only, rule for inbound services is to block all traffic from the WAN.

 

So, theoretically at least, no one should be able to access the router from the outside.

Yeah that is pretty strange. I wonder if at one point that was a good nameserver and something happened to it. But at least you have it working now!

Possibly a trojan or virus on a LAN computer that has changed it? Does the router allow telnet access at all?