General discussion

Locked

have got a fake DNS Entry of 63.243.173.162

By mkd74 ·
I have a network of 192.168.59.0 /24.
DHCP Client gets the IP from the server which is not in our network link 192.168.60.1 with the DHCP address of my firewall. Firewall is not configured for the DHCP Server.

DHCP CLient also get the dns Add of 63.243.173.162 & 64.86.133.51

when I trace the DHCP Server IP I get my firewall IP

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Check the firewall again

by NickNielsen In reply to have got a fake DNS Entry ...

You say the firewall is not configured as the DHCP server, yet the firewall is providing DHCP addresses. If the DHCP server address resolves to the firewall, then that is the server. Check your firewall configuration again.

Collapse -

A sign of potential virus activity...

by docoblivion In reply to have got a fake DNS Entry ...

It's entirely possible that one of the PCs on your network is infected with a virus that's acting as a DHCP server and handing out DNS info. You can try using DHCPloc from one of the machines, and you should be able to see who the culprit is!

Collapse -

Thanks for that tip

by NickNielsen In reply to A sign of potential virus ...

That's something I didn't know.

Collapse -

Definitely a virus.

by ron weasley In reply to have got a fake DNS Entry ...

It's definitely a virus similar to the Flush.M trojan, our university's tech center confirmed for us that it's going through our users in residence, a user I was diagnosing had the same two DNS servers listed, no antivirus on her computer. Surprise, surprise. -_-

The problem we're trying to solve now is how do people acquire it? Does anyone know of a website that people keep going to to get this? My user couldn't remember anything specific, and she said she usually uses Firefox, although she did use IE occasionally.

Collapse -

This is DNSChanger Trojan

by kasped In reply to Definitely a virus.

The DNSChanger trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a Trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different web servers. And some of the resolved names will not point to legitimate websites - they will point to fake websites that look like real ones, but are created to steal sensitive information (like credit card numbers, logins and passwords).

So you think you are going to your bank, you enter your account # and password, and it fails. Moments later your account is empty, your visa/mastercard numbers are being printed on cards and will be used soon.....

Enjoy,

Collapse -

fake DNS ip entry

by dlphsharma In reply to have got a fake DNS Entry ...

I have also face the same problem in my network:192.168.100.0/24

i have DHCP 192.168.100.14
DNS 192.168.100.2
another DNS 192.168.100.1

but some DHCP client gets the dns ADD of 64.86.133.51
63.243.173.162


I have chaked in REGEDIT
@ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\


"DhcpNameServer"
Valu Data

64.86.133.51 63.243.173.162

but after deleting or replacing it with real DNS Add,no results..

Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums