DNS issue. 54.208.19.28

Hello experts
I think my DNS got hacked or something.
When I ping an incorrect address, it always resolve to 54.208.19.28

Here is an example (sorry it's in french)
C:\Documents and Settings\MG>ping hfhfhfhidsodfhasihfoashfoadsihgoag.com

Envoi d'une requête 'ping' sur hfhfhfhidsodfhasihfoashfoadsihgoag.com [54.208.19
.28] avec 32 octets de données :

Réponse de 54.208.19.28 : octets=32 temps=39 ms TTL=118
Réponse de 54.208.19.28 : octets=32 temps=26 ms TTL=118
Réponse de 54.208.19.28 : octets=32 temps=37 ms TTL=118
Réponse de 54.208.19.28 : octets=32 temps=23 ms TTL=118

I was trying to log on my servers using their FQDN with Remote Desktop Connection. For some reason I couldn't resolve them, and everytime I landed on 54.208.19.28. Which is some kind of fake server or something like that, certainly capturing passwords.

So can someone tell me how my DNS server can resolve this ip address for unknown web sites?

Thanks

Martin
deewaveAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
54.208.19.28 is Amazon Web Services. Are you using Amazon Web services?

Look in your hosts file (c:\windows\system32\drivers\etc\hosts .   There should only be comments in this file and no entries.

Have you looked at changing your DNS in TCP/IP settings (say 4.2.2.2 or 8.8.8.8) to see if that changes anything?
0
deewaveAuthor Commented:
I think I got it.
I took a look at my DNS settings:  208.69.150.250                  208.69.150.252
I've never entered these settings, so my best guess is that one of my children installed a software that changed that. So now i've switched back to google's (8.8.8.8) and ISP's DNS.
0
deewaveAuthor Commented:
Hi John,
Nope i'm not using Amazon web services
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

deewaveAuthor Commented:
It's kind of strange tho. If you try a remote desktop connection to 54.208.19.28, it prompts for a login/password
I really doubt Amazon would give that kind of door on the web
0
deewaveAuthor Commented:
my host file has a lot of comments, then
127.0.0.1       localhost
0
JohnBusiness Consultant (Owner)Commented:
The 127 line is fine. Hosts files all have that line.

So change your DNS to your ISP and google as you did and you should be fine.
0
Fred MarshallPrincipalCommented:
It looks like a redirect to me.  That suggests malware.  I'd run Malwarebytes just to see what you get if nothing else.  And, of course, to make sure it's fixed.  "kids" ??? = malware most often.
0
Frosty555Commented:
It does look like a (potentially malicious) change to your DNS, probably performed by a malicious program that has gotten onto your PC somehow.

Check out this page describing the "LookSafe" malware threat
http://www.anti-spyware-101.com/remove-looksafe

It has been revealed that after the successful installation of the LookSafe, the DNS settings can be changed. The DNS may be changed to 208.69.150.252 or 208.69.150.250.

This particular product seems nasty because if you don't remove the underlying software on your computer that changed the DNS settings, those settings will just go BACK to the 208.69.150.xxx address a short while later.

I would say that *somebody* accidentally installed software on your computer, probably clicked a fraudulent advertisement and unknowingly installed LookSafe on the PC. I try not to immediately jump to the conclusion that it was your kids... because grown adults get fooled by this stuff plenty as well. But in any case, it does look like you got some "junkware" on your PC.

The malicious changing of your DNS servers can potentially be quite dangerous. A service that intentionally "poisons" the DNS results allows them to perform a man-in-the-middle attack, intercepting the traffic between you an the websites you attempt to visit. Alternatively, it could take advantage of resolving unknown domain names in order to present you with a false website (e.g. fake search results, advertisements, malicious webpages, or phishing webpages) when you mistype an address.

The server that you see the DNS records resolve to (54.208.19.28) is an Amazon Web Services server - that doesn't mean it's operated by Amazon, it means the attacker is using Amazon Web Services to host the server that performs the attack. And by the looks of it they are running a Windows server with Remote Desktop enabled and open to the Internet. Lawl.

Anyways... you need to do three things now:

    1) Find and clean the malware off of your computer.

Honestly, 90% of the "unwanted junkware with a plausible excuse for existing" that I find provide a convenient little uninstaller so that they can plausibly deny that they are malicious. You can go into Control Panel->Uninstall a Program, and removing them. Then, go into your browser settings and manually fix all the crap they left behind - your homepage, installed plugins/addons, proxy settings etc.

A run through with Malwarebytes Anti-Malware doesn't hurt. And after that you can check around for anything out of the ordinary with tools like SysInternals Autoruns and HijackThis.

If you've been infected with something nastier than that which puts up more of a fight to your attempts to remove it... you're in for a battle and it's probably a good idea to get the computer looked at professionally.

    2) Change your DNS settings back
    3) Educate your kids (and/or yourself) on how to avoid malware in the future
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.