Detected DNS cache poisoning attack?

Discussion in 'ESET Smart Security' started by satasonic, Apr 26, 2011.

Thread Status:
Not open for further replies.
  1. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    Wondering what it is. I got several of them today, and straight after deleting from the log- They appeared again.

    IP pinpoints to China. No company or anything thats registered to it.
     
  2. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    Im getting more of these messages in real time now.
     
  3. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    Anyone? The IP which is the source is: "113.105.171.112:53"
    "113.105.169.115:53"

    What does this mean?
     
  4. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    Anyone?
     
  5. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hello again satasonic!

    So it's not Akamai this time? ;)

    And what were you doing when you saw the first attack?
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Do you recognize those DNS IPs has belonging to your ISP (Internet Service Provider)? 53 means it's DNS.

    Have you verified your router settings / Windows networking settings to verify whether or not your ISP DNS IPs have been changed to those?
     
  7. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    Good day SweX, m00n ;)

    They didnt come up for an hour, but at that time I was just browsing different forums. Then I checked my firewall, and several of those messages were there. I deleted the log and went back to browsing, and when I checked in 5 mins there were several of them already there.


    Im not on a router, im on a regular modem. Im from Australia- I dont think those IP ranges belong to my ISP since they seem to be located in China (?).

    Thanks for the comments. Can it be a false positive?

    Ps. Been using ESS for 3 years. Sadly in the last week problems started crashing out upon me :(
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Open Windows command line and type ipconfig /all. See what IPs you get for the DNS Servers.
     
  9. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    One question though- You said that the :53 at the end means something. Could you please explain it in easy language? :blink:
     
  10. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    I also thought that Chinese might actually do that sort of stuff? I dont know what they do but it seems that most attacks originate from China to many users.
     
  11. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Satasonic.
    Make a search on those IP's on this site and you will find more info about them http://tools.whois.net/whoisbyip/

    Without the :53 at the end. Just like this 113.105.171.112

    Edit: hmmm on my first search on this IP, the report did mention Brisbane.
    But on the second search only China Telecom, weird.
     
  12. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    I got the same, first it stated both china and brisbane, then only china. The attacks stopped now, so maybe it was just a false positive. Hopefully it was just normal network traddic :doubt:
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK.

    53 means it's port 53. Port 53 is bound to DNS (Domain Name System). DNS translates domains (such as www.wilderssecurity.com) to their respective IP addresses.

    Read more about DNS cache poisoning -https://secure.wikimedia.org/wikipedia/en/wiki/DNS_cache_poisoning

    -http://isc.sans.edu/presentations/dnspoisoning.html

    I'd believe there could be some problem with your ISP, perhaps. Try to get in touch with them and explain the situation... who knows.

    But, exclude the possibility that your system is compromised by malware. Some malware changes the DNS IPs in our systems.

    I don't know if Eset reports such situations as also being DNS cache poisoning, due to traffic being redirected as well.

    Eset support will known better than me, that's for sure.

    One thing I know, if Eset is blocking those IPs belong to DNS servers that are not your ISPs, then something isn't right.

    Have you performed the command I mentioned? Open Windows cmd line and type ipconfig /all

    See what IPs are in the DNS servers part.

    -edit-

    Take a look here -https://secure.dshield.org/ipinfo.html?ip=113.105.171.112
     
Thread Status:
Not open for further replies.