I
Invision
Guest
i been getting multiple ws on my network where the DNS are being change by a malicious code
I didn't find anything at Symantec or Microsoft, but I found this on ARIN WHOIS search:
http://ws.arin.net/cgi-bin/whois.pl
Search results for: 69.57.146.14
OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 2600 Southwest Frwy., Suite 500
City: Houston
StateProv: TX
PostalCode: 77098
Country: US
NetRange: 69.57.128.0 - 69.57.159.255
CIDR: 69.57.128.0/19
NetName: EVRY-BLK-13
NetHandle: NET-69-57-128-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment:
RegDate: 2003-06-20
Updated: 2003-07-02
TechHandle: RW172-ARIN
TechName: Williams, Randy
TechPhone: +1-713-400-5400
TechEmail: admin@ev1.net
OrgTechHandle: RW172-ARIN
OrgTechName: Williams, Randy
OrgTechPhone: +1-713-400-5400
OrgTechEmail: admin@ev1.net
# ARIN WHOIS database, last updated 2003-09-30 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
Search results for: 69.57.147.175
OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 2600 Southwest Frwy., Suite 500
City: Houston
StateProv: TX
PostalCode: 77098
Country: US
NetRange: 69.57.128.0 - 69.57.159.255
CIDR: 69.57.128.0/19
NetName: EVRY-BLK-13
NetHandle: NET-69-57-128-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment:
RegDate: 2003-06-20
Updated: 2003-07-02
TechHandle: RW172-ARIN
TechName: Williams, Randy
TechPhone: +1-713-400-5400
TechEmail: admin@ev1.net
OrgTechHandle: RW172-ARIN
OrgTechName: Williams, Randy
OrgTechPhone: +1-713-400-5400
OrgTechEmail: admin@ev1.net
# ARIN WHOIS database, last updated 2003-09-30 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
And here is the tracert data:
C:\>tracert 69.57.146.14
Tracing route to 69.57.146.14 over a maximum of 30 hops
1 <10 ms <10 ms <10 ms 10.22.2.3
2 <10 ms 15 ms <10 ms 10.22.14.5
3 16 ms <10 ms <10 ms 10.90.248.14
4 <10 ms <10 ms <10 ms 10.90.250.90
5 <10 ms <10 ms <10 ms 10.90.250.126
6 <10 ms <10 ms <10 ms 10.90.250.157
7 16 ms 15 ms 16 ms 10.90.253.201
8 16 ms 15 ms 31 ms 10.241.7.37
9 31 ms 31 ms 32 ms 10.241.7.97
10 32 ms 31 ms 31 ms col-01-dir.msdwis.com [172.28.129.11]
11 16 ms 15 ms 16 ms fw-col-01.msdwis.com [204.115.161.61]
12 32 ms 31 ms 31 ms 4.17.247.193
13 31 ms 32 ms 15 ms fa0-0.deanwitter8.bbnplanet.net [4.17.247.98]
14 47 ms 47 ms 31 ms s5-0-4.chcgil1-cr1.bbnplanet.net [4.24.149.13]
15 15 ms 32 ms 31 ms p5-0.chcgil1-br1.bbnplanet.net [4.24.5.241]
16 31 ms 31 ms 31 ms so-3-0-0.chcgil2-br1.bbnplanet.net [4.24.9.69]
17 32 ms 31 ms 31 ms unknown.Level3.net [64.159.4.1]
18 47 ms 47 ms 47 ms gige8-0.hsipaccess1.Chicago1.Level3.net [64.159.1.222]
19 31 ms 47 ms 47 ms unknown.Level3.net [166.90.80.38]
20 47 ms 32 ms 31 ms core-01-ge-0-2-0-0.chcg.twtelecom.net [66.192.244.40]
21 78 ms 62 ms 78 ms core-01-so-2-3-0-0.dlfw.twtelecom.net [168.215.53.46]
22 63 ms 78 ms 78 ms core-02-ge-0-2-1-3.dlfw.twtelecom.net [66.192.246.69]
23 63 ms 78 ms 78 ms dist-01-so-0-0-0-0.hsto.twtelecom.net [168.215.53.62]
24 78 ms 78 ms 78 ms 168.215.172.45
25 63 ms 62 ms 63 ms 216.54.253.2
26 63 ms 62 ms 63 ms 207.218.245.42
27 78 ms 94 ms 78 ms 69.57.146.14
Trace complete.
C:\>tracert 69.57.147.175
Tracing route to 69.57.147.175 over a maximum of 30 hops
1 <10 ms <10 ms <10 ms 10.22.2.3
2 <10 ms <10 ms <10 ms 10.22.14.5
3 <10 ms <10 ms <10 ms 10.90.248.14
4 <10 ms <10 ms <10 ms 10.90.250.90
5 <10 ms <10 ms 16 ms 10.90.250.126
6 <10 ms <10 ms <10 ms 10.90.250.157
7 16 ms 16 ms 31 ms 10.90.253.201
8 31 ms 16 ms 31 ms 10.241.7.37
9 31 ms 32 ms 31 ms 10.241.7.97
10 31 ms 31 ms 31 ms col-01-dir.msdwis.com [172.28.129.11]
11 31 ms 16 ms 31 ms fw-col-01.msdwis.com [204.115.161.61]
12 47 ms 31 ms 47 ms 4.17.247.193
13 16 ms 16 ms 31 ms fa0-0.deanwitter8.bbnplanet.net [4.17.247.98]
14 47 ms 47 ms 47 ms s5-0-4.chcgil1-cr1.bbnplanet.net [4.24.149.13]
15 31 ms 31 ms 31 ms p5-0.chcgil1-br1.bbnplanet.net [4.24.5.241]
16 31 ms 31 ms 32 ms so-3-0-0.chcgil2-br1.bbnplanet.net [4.24.9.69]
17 47 ms 31 ms 32 ms unknown.Level3.net [64.159.4.1]
18 47 ms 32 ms 46 ms gige8-0.hsipaccess1.Chicago1.Level3.net [64.159.1.222]
19 46 ms 47 ms 32 ms unknown.Level3.net [166.90.80.38]
20 32 ms 46 ms 32 ms core-01-ge-0-2-0-0.chcg.twtelecom.net [66.192.244.40]
21 63 ms 78 ms 63 ms core-01-so-2-3-0-0.dlfw.twtelecom.net [168.215.53.46]
22 78 ms 63 ms 78 ms core-02-ge-0-2-1-3.dlfw.twtelecom.net [66.192.246.69]
23 78 ms 78 ms 78 ms dist-01-so-0-0-0-0.hsto.twtelecom.net [168.215.53.62]
24 78 ms 78 ms 62 ms 168.215.172.45
25 63 ms 62 ms 63 ms 216.54.253.2
26 63 ms 62 ms 78 ms 207.218.245.42
27 78 ms 78 ms 79 ms 69.57.147.175
Trace complete.
Also, in a browser these two IPs resolve to a default Apache test page
Anyone else haviong this problem ???
I didn't find anything at Symantec or Microsoft, but I found this on ARIN WHOIS search:
http://ws.arin.net/cgi-bin/whois.pl
Search results for: 69.57.146.14
OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 2600 Southwest Frwy., Suite 500
City: Houston
StateProv: TX
PostalCode: 77098
Country: US
NetRange: 69.57.128.0 - 69.57.159.255
CIDR: 69.57.128.0/19
NetName: EVRY-BLK-13
NetHandle: NET-69-57-128-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment:
RegDate: 2003-06-20
Updated: 2003-07-02
TechHandle: RW172-ARIN
TechName: Williams, Randy
TechPhone: +1-713-400-5400
TechEmail: admin@ev1.net
OrgTechHandle: RW172-ARIN
OrgTechName: Williams, Randy
OrgTechPhone: +1-713-400-5400
OrgTechEmail: admin@ev1.net
# ARIN WHOIS database, last updated 2003-09-30 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
Search results for: 69.57.147.175
OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 2600 Southwest Frwy., Suite 500
City: Houston
StateProv: TX
PostalCode: 77098
Country: US
NetRange: 69.57.128.0 - 69.57.159.255
CIDR: 69.57.128.0/19
NetName: EVRY-BLK-13
NetHandle: NET-69-57-128-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment:
RegDate: 2003-06-20
Updated: 2003-07-02
TechHandle: RW172-ARIN
TechName: Williams, Randy
TechPhone: +1-713-400-5400
TechEmail: admin@ev1.net
OrgTechHandle: RW172-ARIN
OrgTechName: Williams, Randy
OrgTechPhone: +1-713-400-5400
OrgTechEmail: admin@ev1.net
# ARIN WHOIS database, last updated 2003-09-30 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
And here is the tracert data:
C:\>tracert 69.57.146.14
Tracing route to 69.57.146.14 over a maximum of 30 hops
1 <10 ms <10 ms <10 ms 10.22.2.3
2 <10 ms 15 ms <10 ms 10.22.14.5
3 16 ms <10 ms <10 ms 10.90.248.14
4 <10 ms <10 ms <10 ms 10.90.250.90
5 <10 ms <10 ms <10 ms 10.90.250.126
6 <10 ms <10 ms <10 ms 10.90.250.157
7 16 ms 15 ms 16 ms 10.90.253.201
8 16 ms 15 ms 31 ms 10.241.7.37
9 31 ms 31 ms 32 ms 10.241.7.97
10 32 ms 31 ms 31 ms col-01-dir.msdwis.com [172.28.129.11]
11 16 ms 15 ms 16 ms fw-col-01.msdwis.com [204.115.161.61]
12 32 ms 31 ms 31 ms 4.17.247.193
13 31 ms 32 ms 15 ms fa0-0.deanwitter8.bbnplanet.net [4.17.247.98]
14 47 ms 47 ms 31 ms s5-0-4.chcgil1-cr1.bbnplanet.net [4.24.149.13]
15 15 ms 32 ms 31 ms p5-0.chcgil1-br1.bbnplanet.net [4.24.5.241]
16 31 ms 31 ms 31 ms so-3-0-0.chcgil2-br1.bbnplanet.net [4.24.9.69]
17 32 ms 31 ms 31 ms unknown.Level3.net [64.159.4.1]
18 47 ms 47 ms 47 ms gige8-0.hsipaccess1.Chicago1.Level3.net [64.159.1.222]
19 31 ms 47 ms 47 ms unknown.Level3.net [166.90.80.38]
20 47 ms 32 ms 31 ms core-01-ge-0-2-0-0.chcg.twtelecom.net [66.192.244.40]
21 78 ms 62 ms 78 ms core-01-so-2-3-0-0.dlfw.twtelecom.net [168.215.53.46]
22 63 ms 78 ms 78 ms core-02-ge-0-2-1-3.dlfw.twtelecom.net [66.192.246.69]
23 63 ms 78 ms 78 ms dist-01-so-0-0-0-0.hsto.twtelecom.net [168.215.53.62]
24 78 ms 78 ms 78 ms 168.215.172.45
25 63 ms 62 ms 63 ms 216.54.253.2
26 63 ms 62 ms 63 ms 207.218.245.42
27 78 ms 94 ms 78 ms 69.57.146.14
Trace complete.
C:\>tracert 69.57.147.175
Tracing route to 69.57.147.175 over a maximum of 30 hops
1 <10 ms <10 ms <10 ms 10.22.2.3
2 <10 ms <10 ms <10 ms 10.22.14.5
3 <10 ms <10 ms <10 ms 10.90.248.14
4 <10 ms <10 ms <10 ms 10.90.250.90
5 <10 ms <10 ms 16 ms 10.90.250.126
6 <10 ms <10 ms <10 ms 10.90.250.157
7 16 ms 16 ms 31 ms 10.90.253.201
8 31 ms 16 ms 31 ms 10.241.7.37
9 31 ms 32 ms 31 ms 10.241.7.97
10 31 ms 31 ms 31 ms col-01-dir.msdwis.com [172.28.129.11]
11 31 ms 16 ms 31 ms fw-col-01.msdwis.com [204.115.161.61]
12 47 ms 31 ms 47 ms 4.17.247.193
13 16 ms 16 ms 31 ms fa0-0.deanwitter8.bbnplanet.net [4.17.247.98]
14 47 ms 47 ms 47 ms s5-0-4.chcgil1-cr1.bbnplanet.net [4.24.149.13]
15 31 ms 31 ms 31 ms p5-0.chcgil1-br1.bbnplanet.net [4.24.5.241]
16 31 ms 31 ms 32 ms so-3-0-0.chcgil2-br1.bbnplanet.net [4.24.9.69]
17 47 ms 31 ms 32 ms unknown.Level3.net [64.159.4.1]
18 47 ms 32 ms 46 ms gige8-0.hsipaccess1.Chicago1.Level3.net [64.159.1.222]
19 46 ms 47 ms 32 ms unknown.Level3.net [166.90.80.38]
20 32 ms 46 ms 32 ms core-01-ge-0-2-0-0.chcg.twtelecom.net [66.192.244.40]
21 63 ms 78 ms 63 ms core-01-so-2-3-0-0.dlfw.twtelecom.net [168.215.53.46]
22 78 ms 63 ms 78 ms core-02-ge-0-2-1-3.dlfw.twtelecom.net [66.192.246.69]
23 78 ms 78 ms 78 ms dist-01-so-0-0-0-0.hsto.twtelecom.net [168.215.53.62]
24 78 ms 78 ms 62 ms 168.215.172.45
25 63 ms 62 ms 63 ms 216.54.253.2
26 63 ms 62 ms 78 ms 207.218.245.42
27 78 ms 78 ms 79 ms 69.57.147.175
Trace complete.
Also, in a browser these two IPs resolve to a default Apache test page
Anyone else haviong this problem ???