Anyone heard of this? What is it? (when Google was briefly working it wasn't too forthcoming)
Fiona reported that web pages were being redirected to superxtracker7.com. My first thought was a trojan on her pooter, since the only time security updates get installed is when I do it (which requires her fat arse not to be in front of it).
But I'm having the same problem with some (not all) pages, which are defaulting to superxtracker7.com (http://superxtracker7.com/cgi-bin/exmo.cgi/31/3725:E:17527030) via www4.amycrec.info.
All seems a bit dodgy, but teh seems unaffected. Oddness?
Is that a MAC or Windows PC? I know you use a Mac right? Have you checked to make sure you don't have that new thing going around?
I've had some strange things going on with my kids computers this week too, my daughter infected two very nicely with rootkits and trojans.
*And if it is Windows, get Malewarebytes and do a scan. It's funny, my AV will say things are fine and I'll run malewarebytes and it will kick things up and my AV will finally see them. I don't trust any AV software anymore!
Thank you both.
Ant, I'm not sure what the hosts file on a Mac is called. It doesn't appear to be 'hosts' though.
Ken, no I've checked for that recent trojan already, and it's not a problem.
Curiouser and curiouser, I have the same problem with the iPod Touch and the MBA which hasn't been used for weeks. All of which makes it more likely that this is a problem with the router or downstream.
Thanks Peter. Found local on my Mac (which is also 'affected') and nothing odd there. The router password is not the default, and is relatively strong. Given that this is affecting all computers here, and the iPod Touch, I'm thinking that this is a problem with the ISP.
I tried pinging a range of domains, and with few exceptions the same result was returned: 204.8.136.10 which resolves to ns1.jellydigital.com. I've never heard of them.
I've just tried ping again, and now those domains are giving me different IP addresses. And most addresses are being properly resolved to the correct web sites. The ones that aren't seem to have been hijacked by those sons of fun at banginyourcity.com (yes, tediously enough, it's a porn portal).
Hmmmz. The older superxtracker7.com site loaded up a 404 page through a broken CGI. bang...city appears to load via amycrec.info and
superxtracker7.com, presumably the CGI has been 'fixed' and this is what I've been supposed to see all along. How gay.
traceroute to 204.8.136.10 (204.8.136.10), 64 hops max, 52 byte packets 1 83.76.3.103 (83.76.3.103) 2.981 ms 3.153 ms 3.051 ms 2 83.76.0.1 (83.76.0.1) 14.900 ms 16.700 ms 14.596 ms 3 213.3.247.178 (213.3.247.178) 15.966 ms 17.235 ms 14.789 ms 4 213.3.247.177 (213.3.247.177) 14.921 ms 12.274 ms 15.420 ms 5 195.186.0.178 (195.186.0.178) 20.008 ms 17.966 ms 16.233 ms 6 138.187.159.0 (138.187.159.0) 107.743 ms 101.945 ms 103.742 ms 7 138.187.159.13 (138.187.159.13) 173.999 ms 175.283 ms 171.966 ms 8 198.32.175.111 (198.32.175.111) 166.600 ms 168.452 ms 169.310 ms 9 66.192.253.46 (66.192.253.46) 183.462 ms 183.332 ms 180.156 ms 10 204.8.136.254 (204.8.136.254) 177.788 ms 183.243 ms 179.285 ms 11 ns1.jellydigital.net (204.8.136.10) 180.144 ms 182.087 ms 180.055 ms
And now web addresses resolve to that broken CGI again, no more bang...city.
These fucking sleazoids should be garrotted.
Sat, 2012-04-07 18:58:53 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58377 from WAN] Sat, 2012-04-07 18:58:53 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58368 from WAN] Sat, 2012-04-07 18:58:57 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58379 from WAN] Sat, 2012-04-07 18:58:57 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58378 from WAN] Sat, 2012-04-07 18:58:57 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58377 from WAN] Sat, 2012-04-07 18:58:57 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58368 from WAN] Sat, 2012-04-07 18:59:05 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58379 from WAN] Sat, 2012-04-07 18:59:05 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58378 from WAN] Sat, 2012-04-07 18:59:05 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58377 from WAN] Sat, 2012-04-07 18:59:05 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58368 from WAN] Sat, 2012-04-07 18:59:39 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58417 from WAN] Sat, 2012-04-07 18:59:39 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58416 from WAN] Sat, 2012-04-07 18:59:39 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58414 from WAN] Sat, 2012-04-07 18:59:39 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58413 from WAN] Sat, 2012-04-07 18:59:39 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58412 from WAN] Sat, 2012-04-07 18:59:40 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58417 from WAN] Sat, 2012-04-07 18:59:40 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58416 from WAN] Sat, 2012-04-07 18:59:40 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58414 from WAN] Sat, 2012-04-07 18:59:40 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58413 from WAN] Sat, 2012-04-07 18:59:40 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58412 from WAN] Sat, 2012-04-07 18:59:42 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58417 from WAN] Sat, 2012-04-07 18:59:42 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58416 from WAN] Sat, 2012-04-07 18:59:42 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58414 from WAN] Sat, 2012-04-07 18:59:42 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58413 from WAN] Sat, 2012-04-07 18:59:42 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58412 from WAN] Sat, 2012-04-07 18:59:46 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58417 from WAN] Sat, 2012-04-07 18:59:46 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58416 from WAN] Sat, 2012-04-07 18:59:46 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58414 from WAN] Sat, 2012-04-07 18:59:46 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58413 from WAN] Sat, 2012-04-07 18:59:46 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58412 from WAN] Sat, 2012-04-07 18:59:54 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number received with Reset, dropping packet Src 80 Dst 58417 from WAN] Sat, 2012-04-07 18:59:54 - TCP packet - Source: 93.184.220.20 - Destination: 83.76.3.103 - [Invalid sequence number receive…[Message Truncated] View full message.
>How could I find out
I'm not familiar with that router, but if it's anything like ones I've had (and have) with a built-in DHCP server, there should be a web admin you can log onto and set stuff such as primary dns, mac addresses (of physical devices that are allowed to connect), whether to allow remote access etc.
I was going to suggest a DNS hack straight away, I've seen this before. Take a look at the router settings, and try to find out what DNS servers your ISP actually uses.
Is there a Windows machine that's infected? This might explain why it would affect any other OS's on the same LAN segment as well: http://forums.macrumors.com/showthread.php?t=1214882
See what's in your resolv.conf like this:
cat /etc/resolv.conf
If it's not your ISP's DNS server, you've been hacked. The link above shows one way of finding out which machine is poisoning your LAN, unless you can figure it out yourself easily. Make sure the router hasn't got a standard password, and turn off uPnP on the router if it's an option (it's useful, but sometimes more dangerous than it's worth).
I think you may be right, but I don't know how/why.
The DNS on mu router was set to 213.230.203.212 and 65.98.72.34. I seem to recall having to input DNS servers when setting up the connection to the ISP, but whether or not these were the IP addresses is anyone's guess. I changed the DNS option to getting them automatically from the ISP, and all seems to be working now.
But, if it was a DNS hack on my router, I have no idea how it was achieved. uPNP, remote access, and all external connections are disabled. The default, and only, rule for inbound services is to block all traffic from the WAN.
So, theoretically at least, no one should be able to access the router from the outside.