• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

"DNS High Request" supposed virus

C

cbrunny

Diamond Member
My ISP has shut down my internet connection - without notification, mind you - and they refuse to turn it back on. They claim that something called a "DNS High Request Virus" has tried to download the same website so frequently that it is overloading their systems, so they shut me down. Aside from me being furious, since I'm sure this isn't really possible, there are 6 computers connected to this network's internet connection. Even if this really does exist, is there a way to pinpoint which computer is causing the problem? How do I eliminate this without doing their suggestion - reformat all 6 computers. Every computer is under a valid anti-virus license. I am very much less than impressed.

Anyone in Canada, stay away form Rogers. Use Bell. I've never had any problems with Bell ever, but tons with Rogers. Apparently if we request re-activation and it happens again, we will lose connectivity for 30 days.

Any help at all is appreciated.
 
Ask them to tell you what port it is sending the request over? I believe 53 is standard. If it's a non-standard port then block it with your firewall. Have you run a scan on your PCs? Download AVG Free and Antivir and run those, see if it catches anything. Also, take a look at your router logs, that should help you pinpoint the PC causing the trouble.
 
This has to do with the DNS vulnerability that was exposed a few months ago. If you're showing that signature then they have every right to shut you down, you're infected or being used as a bot.

No normal computer will show this signature.
 
Originally posted by: spidey07
Originally posted by: cbrunny
Originally posted by: spidey07
This has to do with the DNS vulnerability that was exposed a few months ago.
Click to expand...

I'm not sure what this is referring to. Fill me in?
Click to expand...

http://www.kb.cert.org/vuls/id/800113

The signature for this trigger is not normal behavior of an uncompromised host. It's very serious.
Click to expand...

I was under the impression this was for DNS servers? Unless he has a virus acting as a DNS server this wouldn't be it. Of course I could be wrong.

Sounds more like a virus causing a DOS attack on his dns server.

Wait, do you have something operating as a DNS server?
 
I have nothing that could operate as a DNS server. The only thing I have that is even remotely close at all is a bittorrent client. could that be doing it?
 
I doubt its BT... have you run a virus scan on all your PCs? Does your router keep log files? Have you looked at those?
 
I'm not at home right now so I can't check the logs at the moment. that will be my first move. second will be to update router firmware.

all pc's are currently running virus scans with licensed software. I will post tomorrow my results - tonight if I am successful in fixing it. Hopefully they will be positive.
 
Originally posted by: spidey07
This has to do with the DNS vulnerability that was exposed a few months ago. If you're showing that signature then they have every right to shut you down, you're infected or being used as a bot. No normal computer will show this signature.
Click to expand...

This has nothing to do with that vulnerability, they are saying that he's infected with something that's generating a very high dns load. It actually could be bittorrent if he's doing some pretty weird stuff with it, but most likely it's an infected machine.

What AV are you running?
 
Originally posted by: bsobel
Originally posted by: spidey07
This has to do with the DNS vulnerability that was exposed a few months ago. If you're showing that signature then they have every right to shut you down, you're infected or being used as a bot. No normal computer will show this signature.
Click to expand...

This has nothing to do with that vulnerability, they are saying that he's infected with something that's generating a very high dns load. It actually could be bittorrent if he's doing some pretty weird stuff with it, but most likely it's an infected machine.

What AV are you running?
Click to expand...

That vulnerability had a very easy signature - high requests (response) to attempt to guess and hijack a connection and poison DNS. Depends on exactly what the signature was.
 
Originally posted by: bsobel

What AV are you running?
Click to expand...

I run BitDefender, others on the network run Mcafee or AVG. My scans picked up nothing, and neither did anyone else's.

I've uninstalled the BT client i use in hopes this helps too, and updated router firmware, though i doubt that did much.
 
Help me out guys.

Wouldn't chasing this back to culprit computer be easy, especially since he's running them all at his home?

Wouldn't it be as simply as walking over to the router and see if any of the lights are going blinkity-blinkity like mad when no one was using the computer? (Assuming no software / virus scan / bittorent activity).

Or, if he has a decent router, shouldn't it be able to show him traffic by port like mine does, and couldn't he easily see which one is the issue?
 
i tried that, actually. most of the computers connect wirelessly, meaning that the WLAN light refers to at least 5 computers on the network.

Also, the logs turned out to be virtually useless. there was actually no activity on them whatsoever.

I have a WRT54G router. http://www.newegg.ca/Store/Sub...&name=Wireless-Routers

edit: if the outgoing and incoming logs are both blank, does that necessarily mean the problem is resolved or is it possible that an active internet connection is required for the outgoing attempts?
 
Well, then it's time to call the techs at Rogers. See if they'll work with you to diagnose the issue. Start with turning all the computers off and having them watch your connection for suspicious traffic. Then turn them on one at a time.

If this doesn't result in you tracking it down to one computer, I'd wager that you guys need to torrent a little less.

Rogers is known to packetshape torrent traffic and throttle it.
 
Originally posted by: cbrunny
Also, the logs turned out to be virtually useless. there was actually no activity on them whatsoever.

I have a WRT54G router. http://www.newegg.ca/Store/Sub...&name=Wireless-Routers

edit: if the outgoing and incoming logs are both blank, does that necessarily mean the problem is resolved or is it possible that an active internet connection is required for the outgoing attempts?
Click to expand...

If I remember correctly, WRT54G logs are pretty thin -- meaning, they don't log much in the way of outbound traffic, at least by default. Make sure they are configured to log as much as possible -- although even then, this may not include outbound DNS requests.

Do you have a personal firewall on any / all of the internal systems? If so, check their logs also..
 
Dooling, you are correct. very thin.

However, I believe this has been resolved. I uninstalled my BT client, just as precaution, but then called rogers and asked them to restart my service. they did that. I was watching the logs as they did so, and the only recurring ports or ip addresses on the logs were port 2492, which is used by Microsoft Groove. I disabled Groove, and watched the logs.. and they were virtually empty, especially in terms of recurring ip addresses and ports.

This really makes me angry. Why would Microsoft Groove flag Rogers as this supposed virus? Based on this, I will not be using Rogers for much longer, that is for sure. I operated this program the exact same now as I did with Bell with no problems at all.

edit: my mozilla didn't save my password in the 'cbrunny' account, so I had to revert to one that I guess I made recently.
 
Originally posted by: Brunny
Dooling, you are correct. very thin.

However, I believe this has been resolved. I uninstalled my BT client, just as precaution, but then called rogers and asked them to restart my service. they did that. I was watching the logs as they did so, and the only recurring ports or ip addresses on the logs were port 2492, which is used by Microsoft Groove. I disabled Groove, and watched the logs.. and they were virtually empty, especially in terms of recurring ip addresses and ports.

This really makes me angry. Why would Microsoft Groove flag Rogers as this supposed virus? Based on this, I will not be using Rogers for much longer, that is for sure. I operated this program the exact same now as I did with Bell with no problems at all.

edit: my mozilla didn't save my password in the 'cbrunny' account, so I had to revert to one that I guess I made recently.
Click to expand...

The problem wasn't MS Groove. You have / had a virus on the network that was attacking a DNS server. It may not even be repaired yet. You do not need to be running a DNS server in order to have your computer on a bot net attacking a DNS server like yours was. Do full scans of all of your machines, close any wide open wireless and if you have people with laptops over, tell them to do the same thing.

It is possible when the connection was lost that the virus went in to a stealth mode, and is sitting and waiting to reestablish the connection with the "mothership"
 
Full scans were already completed prior to turning back on. i'll make sure everyone runs them again while connected to the internet.

edit: what makes you so sure that Groove was not the problem? It fits the pieces of the puzzle, minus the virus part.
 
I would be more interested in what makes you so sure it is actually. MS products do have bugs like any other product but there seems to be no mention of a high DNS request issue in the Errata. If it was groove, you may want to call MS and report the issue as they would most likely be extremely interested in it. You might even get your name mentioned in the "Special thanks" section on the website.

Consider doing off-line scans. If the machine has been root kitted, the AV software would be unable to find the infected files. Offline meaning pick a machine, attach the drive as a second to it and scan it that way. Or download one of the linux boot cds that can boot up on, and run a web scan on the HDD.

--edit--

It is entirely possible that Rogers was dumb and/or managed to get the cable modems mixed up. You just want to be sure about the computers. It is always fun to find out later that your PC was sending your credit cards / bank accounts to Russia / Taiwan / China / US.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top