secured655
@rr.com
| SEO redirect: ip-lookup.net
Can anyone verify this?
Google search term 'iplookup'.
First result shown is ip-lookup.net.
If I click the first result, I get a delay, and firewall warning blocking the following from connecting:
r2prod.com at 213.186.206.199, which I think might be a redirect via SEO poisoning. If others don't see this, then I'll have to conclude its locally sourced.
Browser here is FF 3.0.14, but confirmed on IE6 as well. Also worth noting is that the block is effectively (only) coming from the CoU IP blocklist. Thanks Donna and the entire CalendarofUpdates Team.
You continue to produce an outstanding resource for the rest of us.
Thanks in advance to any who offer insight on this. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
|
I did an nslookup on both names they return the same IP. In my case and via network tools it was 213.186.33.16. These are on a shared hosting service. A reverse lookup on the IP in your post is 213-186-206-199.static.vega-ua.net and ownership is in the Ukraine(Digital Generation Coordination Center) versus France on the IP my DNS server returned.
idserve indicates that no connection is possible to that IP 213.186.206.166.
idserve was able to connect immediately to
What does an Nslookup show using your DNS servers for
ip-lookup.net
and
r2prod.com
If Nslookup returns 213.186.206.199 it would not be an SEO redirect. Past there I don't know why the different IP would be returned via DNS, it could be as simple as an old server IP (likely) or it could be DNS poisoning (less likely).
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
secured655
@rr.com
| reply to secured655
TheWiseGuy,
I ran the nslookups you suggested, and my results are the same as yours. I should point out that after my post, I ran the following commands:
nbtstat -R
ipconfig /flushdns
arp -d
netstat -vb
The netstat with no browser or other programs running was empty.
Earlier today, another user of this computer was hit by something nasty while using Thunderbird. The early findings included changing the smtp server port to 527 (visible in account setup) as well as redirecting smtp output to a server at trellian dot com (this change was not visible in account setup and was only overcome by manually re-entering the proper server name). The redirected connections were detected and blocked by CoU.
Since my first post, I have noticed the same connection mentioned earlier being blocked at random moments, so a locally resident bug is indeed likely. Also, I hadn't connected the dots (until I read your post), but a large number of connections are appearing in the firewall log to ovh.net. As you said, maybe dns poisoning on the local side. When I get a chance I'll head over to security cleanup. Numerous clean scans this afternoon suggest their expert analysis is prudent.
Thank you very much for your informative and very useful help.
I was hoping that it was not local, but you have confirmed that it is. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| I'm out of my element if it is something nasty on the PC. As you say the Security Cleanup may be the place to start. Good Luck.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
Raven
join:2009-10-15
Sidney, MT
| reply to secured655
Hi,
I dropped in here on a search for more info about 213.186.33.16, which seems to be an IP for a VPN. I am wondering WHY I'm on a VPN. I didn't sign up for one.
I am not a computer pro so I am not quite sure that I even understand what's being said here, but if I have it right, it seems you guys are talking about an IP in this range being "Local"
Now I'm really confused - because the info I've found so far about 213.186.33.16 says it's a French company. I have always wondered if being on this VPN was related to the fact that I'm being hacked.
Where's "Local?" Are you guys in France? I'm in Sidney, Montana, USA, so why am I connected to a French VPN?
Any enlightenment would be much appreciated!
Thanx |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| The discussion was not whether the IP you mention 213.186.33.16 was a Local IP, it is not, as you have found that IP is in France.
The discussion was whether the poster was having a redirect problem, and whether the redirect was being caused by something on his machine(Local) or something that was occurring on the search engine or a DNS server.
Why do you think you are connected via a VPN? From what I have gathered 213.186.33.16 is owned by OVH SAS which does provide VPNs but it also provides Web Sites. So are you seeing all your traffic flowing through 213.186.33.16 or are you simply seeing a connection to 213.186.33.16 on Port 80?
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
 ·AT&T Southeast
1 edit | reply to Raven
said by Raven  :I dropped in here on a search for more info about 213.186.33.16, which seems to be an IP for a VPN. I am wondering WHY I'm on a VPN. I didn't sign up for one... I have always wondered if being on this VPN was related to the fact that I'm being hacked... When I put http://213.186.33.16 into a browser address field, I get what appears to be a webmail service.
What makes you think that this site also functions as a VPN server, and/or that you are connected to that VPN service?
Why is it a "fact" that you are being hacked? Do you have some evidence or symptoms of this that you would care to share?
If you are looking for help, you will need to provide a few details of your problem, and it would probably be better to do it in your own thread instead of jumping into someone else's thread.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants.
-- Thomas Jefferson |
|
secured655
@rr.com
| reply to secured655
Sorry if I implied this address is a local address. What I meant is that the problem is (locally) on my machine. The first symptom I observed was when a user had his smtp output blocked (fw warning), and it turned out that the output had been redirected from the university's smtp servers to a server at trllian.com. The second symptom was that a few links were redirected, such as the ip-lookup.net being redirected to r2prod.com (and blocked). Also random connection attempts to same address when no browser is open. The blocks are coming from an IP blocklist which blocks IP's found to be serving up malware. As it turns out, this infection seems to have occurred via a GDI+ exploit (numerous unworkable GDI+ boxes appeared in left task bar at startups around that time). Either viewing images in email, or while browsing, a trojan like bug got into the computer. It was NOT a case of SEO poisoning. FWIW, numerous scans clean, hosts file clean (visually, I didn't delete/replace), no unsafe use (p2p,wares, porn, etc) and the box was only connected to the internet for a week. My guess is that these redirects were intended to continue infecting the system. The GDI+ vulnerability has been reported before (by SmokeyBear among others), but here are a few links:
GDI+ vulnerability: (been with us since 2004)
»www.microsoft.com/technet/securi···09-11-04
and another report from 2008:
»cyberinsecure.com/malware-uses-g···rootkit/
having updates installed may help, but turning off the parsing of certain image file types (if chosen as a solution) must be performed by manual registry edits (edit the registry at your own risk with understanding of consequences- read the entire link):
»blogs.technet.com/srd/archive/20···gdi.aspx.
Lately I've seen an increase in clean up requests where the computers are infected and the user never noticed the infection activity. In this case, no user intervention was required (click here to install this virus) other than viewing a page with an image.
For anyone who's interested, the calendarofupdates IP blocklist prevented this from being potentially much worse.
My advice to all is to use a hostsfile or ip blocklist (or MBAM with IP blocking feature enabled)
CoU blocklist: (this one specifies outpost firewall, others are available):
»www.calendarofupdates.com/update···owfile=3
MVPHosts:
»www.mvps.org/winhelp2002/hosts.htm
and MBAM:
»www.malwarebytes.org/mbam.php
Raven, my locality is upstate NY and I had not found any indication that 213.186.33.16 is dangerous. Merely that r2prod.com at 213.186.206.199 was being blocked and that was what I was directed to when I click on the link for ip-lookup.net (and I trust for good reason, although FP's are known to happen). I hope this clarifies things a bit, and sorry if any confusion resulted. |
|
secured655
@rr.com
| reply to secured655
A typo in my previous post. Should be trellion dot com with info on the server which smtp was redirected to here:
»www.malwareurl.com/listing.php?as=AS6130 (requires scripts). |
|
