False positive list

The DNS change fixed the alert problem, but What does OTS mean?
I have malwarebytes running, as well as avast.

Abuse of service reported to SoftLayer Technologies and Hetzner Online AG.

Please read the sticky posts on this forum.


Try looking here … http://forum.avast.com/index.php?topic=53253.msg451454#msg451454 … follow the instructions in the first post by Essexboy, and then post the logs in this thread that you started.

[BTW, OTS = Old Timer Scan]


https://docs.google.com/document/pub?id=1kexwLx5dqITog5LIfqQd3HyQZa_DGY6rla1fer9gxXk
https://docs.google.com/document/pub?id=1-bhrkKejtsnNPAKp1mSgPYLp3syZU8nH48ByCBp5F5U
The files were too big to upload
Edit: I made the OTS file a little more readable, before word somehow screwed up the formatting.

Word? :o ??? Use notepad (TXT) for similar things.

I was using word to replace all the personally identifying stuff.
Not paranoid, just that it makes no difference whether you know that info or not.

Ctrl+H in Notepad. :stuck_out_tongue:

I’ve noticed sudden growth of this in our logs.

We don’t know if this is mitm/mitb attack (BHO/local proxy) or DNS hijack (modified hosts file?). Is only one browser doing this?

The logs we have say that it’s iframe pointing to whereismypeoplexy.com, which we block from 110314

Hello, I am afraid you are right. His OTS log shows the malicious DNS server is configured by DHCP. Then again, it might be the DHCP server being compromised as well. And no, not one browser, I asked him to do a nslookup, so… the whole machine has DNS hijacked pointing to the malicious DNS server hosted at SoftLayer Technologies

I have reported this to whois contacts for both hosters, got only an automated ticket answer from the Germans, nothing from US. If you officially contact them, it might speed thing up.

If you PM me your email, I will forward the mail I sent them.

I’ve probably overlooked something? The DNS set by DHCP is imo quite normal in DSL and such environments - but I still don’t know how do you know that the google’s address he recevied is bad? Google definitely has tons of servers with multiple ips.

For example from my home it’s
Name: google.com
Addresses: 74.125.87.99, 74.125.87.104

F:\x4>nslookup 74.125.87.99

Name: hb-in-f99.1e100.net
Address: 74.125.87.99

Yeah, and guess what - owned by Google. Not some third-party ISP/hoster.

# gwhois 74.125.87.99 Process query: '74.125.87.99' Query recognized as IPv4. Querying whois.arin.net:43 with whois.

The following results may also be obtained via:

http://whois.arin.net/rest/nets;q=74.125.87.99?showDetails=true&showARIN=false

NetRange: 74.125.0.0 - 74.125.255.255
CIDR: 74.125.0.0/16
OriginAS:
NetName: GOOGLE
NetHandle: NET-74-125-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-03-13
Updated: 2007-05-22
Ref: http://whois.arin.net/rest/net/NET-74-125-0-0-1

OrgName: Google Inc.
OrgId: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2000-03-30
Updated: 2009-08-07
Ref: http://whois.arin.net/rest/org/GOGL

OrgTechHandle: ZG39-ARIN
OrgTechName: Google Inc
OrgTechPhone: +1-650-253-0000
OrgTechEmail: arin-contact@google.com
OrgTechRef: http://whois.arin.net/rest/poc/ZG39-ARIN

If you replace the www.google-analytics.com part of the URL with the IP returned by the malicious DNS server, you will get happily served with infected ga.js; are you suggesting that Google got infected? :stuck_out_tongue:

# nslookup www.google-analytics.com 173.193.227.124 Server: 173.193.227.124 Address: 173.193.227.124#53

Name: www.google-analytics.com
Address: 85.10.195.196

Edit: I made the OTS file a little more readable, before word somehow screwed up the formatting.
Unfortunately I use a special parsing tool which reads the first blank line as end of report, so I could spend 20 minutes or so removing all the blank lines or I could ask you to repost it as a text file attachment

Also now I have read the entire thread - the solution is simple, add the following to your host file

# [Google Inc] 127.0.0.1 www.google-analytics.com
If you replace the www.google-analytics.com part of the URL with the IP returned by the malicious DNS server, you will get happily served with infected ga.js; are you suggesting that Google got infected? :P
nslookup www.google-analytics.com 173.193.227.124 Server: 173.193.227.124-static.reverse.softlayer.com Address: 173.193.227.124

Sry, not for me, getting only 401’s? I’d like to see that ‘infected’ ga.js

Well, then the Germans might have shut down the webserver already, however, as you can see, the malicious DNS is still running there in US.

Heh, lookin at wrong line. I’ve got ga.js from the german server now.

Not really a solution, just a temporary workaround. And might as well get ignored since some malware alters the HOSTS file location in registry (yet, it is configurable).

Heh, OK.

To original poster: what country are you from? This faked GA is not working for me and our stats only show couple of countries…

Wisconsin?

Yeah, I’m from Wisconsin.
The problem is gone now, but I don’t know how it got there in the first place.
The whereismypeoplexy.com thing has popped up before,
I blocked a few things in the host file, and avast seems to have taken care of some of the redirect stuff, but I have no idea where the problem is.