DNS issue.

Posted on 2014-08-21
Last Modified: 2014-08-26
Hello experts
I think my DNS got hacked or something.
When I ping an incorrect address, it always resolve to

Here is an example (sorry it's in french)
C:\Documents and Settings\MG>ping

Envoi d'une requête 'ping' sur [54.208.19
.28] avec 32 octets de données :

Réponse de : octets=32 temps=39 ms TTL=118
Réponse de : octets=32 temps=26 ms TTL=118
Réponse de : octets=32 temps=37 ms TTL=118
Réponse de : octets=32 temps=23 ms TTL=118

I was trying to log on my servers using their FQDN with Remote Desktop Connection. For some reason I couldn't resolve them, and everytime I landed on Which is some kind of fake server or something like that, certainly capturing passwords.

So can someone tell me how my DNS server can resolve this ip address for unknown web sites?


Question by:deewave
    LVL 89

    Assisted Solution

    by:John Hurst is Amazon Web Services. Are you using Amazon Web services?

    Look in your hosts file (c:\windows\system32\drivers\etc\hosts .   There should only be comments in this file and no entries.

    Have you looked at changing your DNS in TCP/IP settings (say or to see if that changes anything?

    Author Comment

    I think I got it.
    I took a look at my DNS settings:        
    I've never entered these settings, so my best guess is that one of my children installed a software that changed that. So now i've switched back to google's ( and ISP's DNS.

    Author Comment

    Hi John,
    Nope i'm not using Amazon web services

    Author Comment

    It's kind of strange tho. If you try a remote desktop connection to, it prompts for a login/password
    I really doubt Amazon would give that kind of door on the web

    Author Comment

    my host file has a lot of comments, then       localhost
    LVL 89

    Expert Comment

    by:John Hurst
    The 127 line is fine. Hosts files all have that line.

    So change your DNS to your ISP and google as you did and you should be fine.
    LVL 25

    Assisted Solution

    by:Fred Marshall
    It looks like a redirect to me.  That suggests malware.  I'd run Malwarebytes just to see what you get if nothing else.  And, of course, to make sure it's fixed.  "kids" ??? = malware most often.
    LVL 31

    Accepted Solution

    It does look like a (potentially malicious) change to your DNS, probably performed by a malicious program that has gotten onto your PC somehow.

    Check out this page describing the "LookSafe" malware threat

    It has been revealed that after the successful installation of the LookSafe, the DNS settings can be changed. The DNS may be changed to or

    This particular product seems nasty because if you don't remove the underlying software on your computer that changed the DNS settings, those settings will just go BACK to the address a short while later.

    I would say that *somebody* accidentally installed software on your computer, probably clicked a fraudulent advertisement and unknowingly installed LookSafe on the PC. I try not to immediately jump to the conclusion that it was your kids... because grown adults get fooled by this stuff plenty as well. But in any case, it does look like you got some "junkware" on your PC.

    The malicious changing of your DNS servers can potentially be quite dangerous. A service that intentionally "poisons" the DNS results allows them to perform a man-in-the-middle attack, intercepting the traffic between you an the websites you attempt to visit. Alternatively, it could take advantage of resolving unknown domain names in order to present you with a false website (e.g. fake search results, advertisements, malicious webpages, or phishing webpages) when you mistype an address.

    The server that you see the DNS records resolve to ( is an Amazon Web Services server - that doesn't mean it's operated by Amazon, it means the attacker is using Amazon Web Services to host the server that performs the attack. And by the looks of it they are running a Windows server with Remote Desktop enabled and open to the Internet. Lawl.

    Anyways... you need to do three things now:

        1) Find and clean the malware off of your computer.

    Honestly, 90% of the "unwanted junkware with a plausible excuse for existing" that I find provide a convenient little uninstaller so that they can plausibly deny that they are malicious. You can go into Control Panel->Uninstall a Program, and removing them. Then, go into your browser settings and manually fix all the crap they left behind - your homepage, installed plugins/addons, proxy settings etc.

    A run through with Malwarebytes Anti-Malware doesn't hurt. And after that you can check around for anything out of the ordinary with tools like SysInternals Autoruns and HijackThis.

    If you've been infected with something nastier than that which puts up more of a fight to your attempts to remove it... you're in for a battle and it's probably a good idea to get the computer looked at professionally.

        2) Change your DNS settings back
        3) Educate your kids (and/or yourself) on how to avoid malware in the future

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
    This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now