• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1638
  • Last Modified:

DNS issue. 54.208.19.28

Hello experts
I think my DNS got hacked or something.
When I ping an incorrect address, it always resolve to 54.208.19.28

Here is an example (sorry it's in french)
C:\Documents and Settings\MG>ping hfhfhfhidsodfhasihfoashfoadsihgoag.com

Envoi d'une requête 'ping' sur hfhfhfhidsodfhasihfoashfoadsihgoag.com [54.208.19
.28] avec 32 octets de données :

Réponse de 54.208.19.28 : octets=32 temps=39 ms TTL=118
Réponse de 54.208.19.28 : octets=32 temps=26 ms TTL=118
Réponse de 54.208.19.28 : octets=32 temps=37 ms TTL=118
Réponse de 54.208.19.28 : octets=32 temps=23 ms TTL=118

I was trying to log on my servers using their FQDN with Remote Desktop Connection. For some reason I couldn't resolve them, and everytime I landed on 54.208.19.28. Which is some kind of fake server or something like that, certainly capturing passwords.

So can someone tell me how my DNS server can resolve this ip address for unknown web sites?

Thanks

Martin
0
deewave
Asked:
deewave
3 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
54.208.19.28 is Amazon Web Services. Are you using Amazon Web services?

Look in your hosts file (c:\windows\system32\drivers\etc\hosts .   There should only be comments in this file and no entries.

Have you looked at changing your DNS in TCP/IP settings (say 4.2.2.2 or 8.8.8.8) to see if that changes anything?
0
 
deewaveAuthor Commented:
I think I got it.
I took a look at my DNS settings:  208.69.150.250                  208.69.150.252
I've never entered these settings, so my best guess is that one of my children installed a software that changed that. So now i've switched back to google's (8.8.8.8) and ISP's DNS.
0
 
deewaveAuthor Commented:
Hi John,
Nope i'm not using Amazon web services
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
deewaveAuthor Commented:
It's kind of strange tho. If you try a remote desktop connection to 54.208.19.28, it prompts for a login/password
I really doubt Amazon would give that kind of door on the web
0
 
deewaveAuthor Commented:
my host file has a lot of comments, then
127.0.0.1       localhost
0
 
John HurstBusiness Consultant (Owner)Commented:
The 127 line is fine. Hosts files all have that line.

So change your DNS to your ISP and google as you did and you should be fine.
0
 
Fred MarshallCommented:
It looks like a redirect to me.  That suggests malware.  I'd run Malwarebytes just to see what you get if nothing else.  And, of course, to make sure it's fixed.  "kids" ??? = malware most often.
0
 
Frosty555Commented:
It does look like a (potentially malicious) change to your DNS, probably performed by a malicious program that has gotten onto your PC somehow.

Check out this page describing the "LookSafe" malware threat
http://www.anti-spyware-101.com/remove-looksafe

It has been revealed that after the successful installation of the LookSafe, the DNS settings can be changed. The DNS may be changed to 208.69.150.252 or 208.69.150.250.

This particular product seems nasty because if you don't remove the underlying software on your computer that changed the DNS settings, those settings will just go BACK to the 208.69.150.xxx address a short while later.

I would say that *somebody* accidentally installed software on your computer, probably clicked a fraudulent advertisement and unknowingly installed LookSafe on the PC. I try not to immediately jump to the conclusion that it was your kids... because grown adults get fooled by this stuff plenty as well. But in any case, it does look like you got some "junkware" on your PC.

The malicious changing of your DNS servers can potentially be quite dangerous. A service that intentionally "poisons" the DNS results allows them to perform a man-in-the-middle attack, intercepting the traffic between you an the websites you attempt to visit. Alternatively, it could take advantage of resolving unknown domain names in order to present you with a false website (e.g. fake search results, advertisements, malicious webpages, or phishing webpages) when you mistype an address.

The server that you see the DNS records resolve to (54.208.19.28) is an Amazon Web Services server - that doesn't mean it's operated by Amazon, it means the attacker is using Amazon Web Services to host the server that performs the attack. And by the looks of it they are running a Windows server with Remote Desktop enabled and open to the Internet. Lawl.

Anyways... you need to do three things now:

    1) Find and clean the malware off of your computer.

Honestly, 90% of the "unwanted junkware with a plausible excuse for existing" that I find provide a convenient little uninstaller so that they can plausibly deny that they are malicious. You can go into Control Panel->Uninstall a Program, and removing them. Then, go into your browser settings and manually fix all the crap they left behind - your homepage, installed plugins/addons, proxy settings etc.

A run through with Malwarebytes Anti-Malware doesn't hurt. And after that you can check around for anything out of the ordinary with tools like SysInternals Autoruns and HijackThis.

If you've been infected with something nastier than that which puts up more of a fight to your attempts to remove it... you're in for a battle and it's probably a good idea to get the computer looked at professionally.

    2) Change your DNS settings back
    3) Educate your kids (and/or yourself) on how to avoid malware in the future
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now