Difference between revisions of "2006-09-02 weird DNS problem"

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to navigation Jump to search
 
(ping floyd; headers; "category:dated items")
Line 1: Line 1:
 +
[[category:dated items]]
 +
==Original Problem==
 
I can't tell if this means I'm being hacked somehow or if it's just a network glitch at Earthlink, but at essentially random times Samba will start returning weird IP addresses for local machines on the network. The addresses are consistently within a particular range, though the exact assignments seem to change.
 
I can't tell if this means I'm being hacked somehow or if it's just a network glitch at Earthlink, but at essentially random times Samba will start returning weird IP addresses for local machines on the network. The addresses are consistently within a particular range, though the exact assignments seem to change.
  
Line 71: Line 73:
 
* '''209.86.66.91''': elydm.02.am.barefruit.com
 
* '''209.86.66.91''': elydm.02.am.barefruit.com
 
* '''209.86.66.92''': elydm.03.am.barefruit.com
 
* '''209.86.66.92''': elydm.03.am.barefruit.com
 +
==2006-09-04 More information==
 +
C:\WINDOWS>tracert floyd
 +
 +
Tracing route to floyd.earthlink.net [209.86.66.94]
 +
over a maximum of 30 hops:
 +
 +
  1  <10 ms  <10 ms  <10 ms  192.168.0.1
 +
  2    7 ms    12 ms    6 ms  10.40.64.1
 +
  3    7 ms    8 ms    11 ms  srp8-0.rlghnca-rtr2.nc.rr.com [24.25.2.163]
 +
  4    9 ms    7 ms    7 ms  pos14-0.rlghncrdc-rtr2.nc.rr.com [24.25.0.9]
 +
  5    12 ms    13 ms    13 ms  son1-0-1.chrlncsa-rtr6.carolina.rr.com [24.93.64.81]
 +
  6    12 ms    13 ms    11 ms  pop1-cha-P4-0.atdn.net [66.185.132.45]
 +
  7    12 ms    12 ms    12 ms  bb1-cha-P3-0.atdn.net [66.185.138.64]
 +
  8    17 ms    17 ms    17 ms  bb1-atm-P6-0.atdn.net [66.185.152.182]
 +
  9    17 ms    17 ms    18 ms  pop1-atm-P0-0.atdn.net [66.185.147.193]
 +
10    17 ms    17 ms    18 ms  Earthlink.atdn.net [66.185.150.6]
 +
11    16 ms    17 ms    17 ms  floyd.earthlink.net [209.86.66.94]

Revision as of 13:50, 4 September 2006

Original Problem

I can't tell if this means I'm being hacked somehow or if it's just a network glitch at Earthlink, but at essentially random times Samba will start returning weird IP addresses for local machines on the network. The addresses are consistently within a particular range, though the exact assignments seem to change.

My main worry is that this means my network traffic is being routed via some hacker's machine (which would be consistent with some odd delays and errors loading web pages) which might then allow passwords and such to be picked up.

Some quick pastes:

From gonzo (KUbuntu Dapper):

  • net lookup gonzo: 192.168.0.103
  • net lookup bunsen: 209.86.66.92
  • net lookup beaker: 209.86.66.91
  • net lookup mokey: 209.86.66.93
  • net lookup floyd: 192.168.0.110
  • net lookup melorr: 209.86.66.90

Similar (but not identical) results doing "ping" to various machines from Beaker (Win98), but everything went back to normal when I rebooted it.

  • traceroute 209.86.66.92
traceroute to 209.86.66.92 (209.86.66.92), 30 hops max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 0.798 ms 0.365 ms 0.237 ms
2 10.40.64.1 (10.40.64.1) 7.091 ms 6.291 ms 11.775 ms
3 srp8-0.rlghnca-rtr1.nc.rr.com (24.25.2.161) 8.231 ms 6.120 ms 7.064 ms
4 pos14-0.rlghncrdc-rtr1.nc.rr.com (24.25.0.5) 8.592 ms 7.250 ms 7.695 ms
5 pos12-0.rlghncrdc-rtr2.nc.rr.com (24.93.64.37) 8.393 ms 7.100 ms 6.096 ms
6 tenge-1-4.car1.Raleigh1.Level3.net (4.71.160.1) 23.241 ms 21.624 ms 22.056 ms
7 ae-11-11.car2.Raleigh1.Level3.net (4.69.132.174) 79.548 ms 21.611 ms 21.724 ms
8 ae-6-6.ebr2.Washington1.Level3.net (4.69.132.178) 27.750 ms * 31.726 ms
9 ae-24-56.car4.Washington1.Level3.net (4.68.121.177) 85.176 ms ae-24-52.car4.Washington1.Level3.net (4.68.121.49) 24.588 ms ae-24-54.car4.Washington1.Level3.net (4.68.121.113) 28.596 ms
10 unknown.Level3.net (64.158.57.50) 19.989 ms 18.623 ms 24.089 ms
11 bor02-so-3-1.ga-atlanta0.ne.earthlink.net (209.165.110.73) 24.023 ms 21.807 ms 28.283 ms
12 bor01-ge-1-0-0.ga-atlanta1.ne.earthlink.net (209.165.110.106) 24.091 ms 22.520 ms 24.604 ms
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

nslookup 209.86.66.92

Server:         192.168.0.1
Address:        192.168.0.1#53

Non-authoritative answer:
92.66.86.209.in-addr.arpa       name = elydm.03.am.barefruit.com.

woozle@gonzo:~$ nslookup 209.86.66.91

Server:         192.168.0.1
Address:        192.168.0.1#53

** server can't find 91.66.86.209.in-addr.arpa: SERVFAIL

woozle@gonzo:~$ nslookup 209.86.66.91

Server:         192.168.0.1
Address:        192.168.0.1#53

Non-authoritative answer:
91.66.86.209.in-addr.arpa       name = elydm.02.am.barefruit.com.
  • 209.86.66.90: elydm.01.am.barefruit.com
  • 209.86.66.91: elydm.02.am.barefruit.com
  • 209.86.66.92: elydm.03.am.barefruit.com

2006-09-04 More information

C:\WINDOWS>tracert floyd

Tracing route to floyd.earthlink.net [209.86.66.94] over a maximum of 30 hops:

 1   <10 ms   <10 ms   <10 ms  192.168.0.1
 2     7 ms    12 ms     6 ms  10.40.64.1
 3     7 ms     8 ms    11 ms  srp8-0.rlghnca-rtr2.nc.rr.com [24.25.2.163]
 4     9 ms     7 ms     7 ms  pos14-0.rlghncrdc-rtr2.nc.rr.com [24.25.0.9]
 5    12 ms    13 ms    13 ms  son1-0-1.chrlncsa-rtr6.carolina.rr.com [24.93.64.81]
 6    12 ms    13 ms    11 ms  pop1-cha-P4-0.atdn.net [66.185.132.45]
 7    12 ms    12 ms    12 ms  bb1-cha-P3-0.atdn.net [66.185.138.64]
 8    17 ms    17 ms    17 ms  bb1-atm-P6-0.atdn.net [66.185.152.182]
 9    17 ms    17 ms    18 ms  pop1-atm-P0-0.atdn.net [66.185.147.193]
10    17 ms    17 ms    18 ms  Earthlink.atdn.net [66.185.150.6]
11    16 ms    17 ms    17 ms  floyd.earthlink.net [209.86.66.94]