Strange DNS Errors In Windows Logs. Malware?

The place for all kinds of software for all kinds of operating systems.

Moderator: Dposcorp

Strange DNS Errors In Windows Logs. Malware?

Postposted on Sun Dec 08, 2013 5:25 am

Hey guys. I'm seeing strange DNS errors in my Windows Logs, and I'm getting a bit concerned. The errors are as follows:

Name resolution for the name http://www.crawlability.com timed out after none of the configured DNS servers responded.

Name resolution for the name http://www.clubfiat.net timed out after none of the configured DNS servers responded.

I did have one incident this evening while visiting the site "Encyclopedia Dramatica". I was viewing an article with inline video content which was blocked by NoScript. They looked like standard Youtube frames, so I allowed only the main Encyclopedia Dramatica site through. Immediately after making the allowance, I got an XXX popup. I never get popups with my current config of Firefox and AdBlock+NoScript. Neither MSSE or Malwarebytes reported anything then, or after doing scans. The DNS errors occurred a couple hours after this, and had never been previously reported (though my Windows install is only about a month old).

I googled the errors, and then only thing I found of substance was this guy reporting the same two errors. That's a bit concerning to me. What are the chances that I get the same two DNS errors as some random guy on the internet?

Here's where it gets really bizarre: I fired up a spare laptop with a just-installed clean copy of Windows on it. I've done virtually nothing with this laptop yet, aside from installing drivers and windows updates. After about a half-hour of use, I started seeing the same DNS errors in the Windows logs. What the hell?? How is that possible?

Any help is appreciated
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 470
Joined: Sun Apr 06, 2008 4:46 pm

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Mon Dec 09, 2013 1:11 pm

Nothing? I'm still getting multiple reports of both DNS errors on both machines. I have never visited either of those websites. If I have some sort of very stealthy malware, I need to take steps. I was hoping someone with more networking knowledge than myself could help give me some info.
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 470
Joined: Sun Apr 06, 2008 4:46 pm

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Mon Dec 09, 2013 1:32 pm

Well I read your post and thought I couldn't help, but that reminded me to check the logs on some of my servers.

When I opened the log, the first thing that popped up was the same error for clubfiat, from the last few minutes. Maybe it has something to do with ads/content on techreport?
MJZ82
Gerbil
 
Posts: 63
Joined: Tue Nov 24, 2009 2:24 pm

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Mon Dec 09, 2013 1:51 pm

No idea.

I have my router set to ip of "Open DNS" servers.
Life doesn't change after marriage, it changes after children!
anotherengineer
Gerbil Elite
 
Posts: 562
Joined: Fri Sep 25, 2009 1:53 pm
Location: Timmins, ON Canada, Yes I know, Up in the sticks

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Mon Dec 09, 2013 2:11 pm

My guess is this is safe to ignore. It could be that a website you visited was hard coded to direct to these domains. If you do an nslookup on them they no longer have an IP address associated with them. Meaning that the query was requested but was not able to complete. If anything, if you're concerned with what DNS queries your system is doing the successful ones should be your concern. If it errors that means your system didn't connect to the remote system. If it doesn't it means it did.
LaChupacabra
Gerbil First Class
Gold subscriber
 
 
Posts: 136
Joined: Tue Dec 30, 2008 10:59 pm

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Mon Dec 09, 2013 3:22 pm

Hi,
I don't think that the banner has any relation with your problem. So, let try to analyze your current configuration:
- open an elevated privilege dos prompt
- issue the command "ipconfig /all" and paste the output
- issue the command "ipconfig /flushdns"
- issue the command "ping www.wikipedia.org". Is the host resolved?
- issue the command "nslookup", then in the prompt that opens, write "www.wikipedia.org". What happens now?

Let me know... Regards.
www.ilsistemista.net - test & bench :)
shodanshok
Gerbil
 
Posts: 25
Joined: Thu May 31, 2012 3:39 am

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Mon Dec 09, 2013 7:04 pm

Thanks for the responses guys. My main concern is that I continue to see repeated entries for these two sites, across two machines, one of which has a clean install. It eases my mind slightly to see that someone else here has the same entry. If I watch the Event Viewer closely, the entries DO seem to appear when I'm on the TR forums, though it could just be a coincidence. I've tried looking everywhere on the site (including picking through the page source code) and so far have not found any reference to either clubfiat.net or crawlability.com. EDIT BY MOD - Captain Ned - Forum Rule #12 - PM Sent. If it were something to do with TR, it also wouldn't explain why I never saw those entries until yesterday.

shodanshok: I'm a bit hesitant to post that info on a public forum. I did follow your instructions though. When I ping wikipedia, the host is resolved. An nslookup says Server Unknown, then lists my router's IP. It then lists the name, IP addresses, and alaises for Wikipedia. Aside from these errors in the event logs, I haven't had any connectivity issues. I'm just going to be uneasy until I find out exactly what's happening here.
Last edited by Captain Ned on Mon Dec 09, 2013 7:32 pm, edited 1 time in total.
Reason: Forum Rule #12
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 470
Joined: Sun Apr 06, 2008 4:46 pm

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Tue Dec 10, 2013 9:37 am

The Egg wrote:shodanshok: I'm a bit hesitant to post that info on a public forum. I did follow your instructions though. When I ping wikipedia, the host is resolved. An nslookup says Server Unknown, then lists my router's IP. It then lists the name, IP addresses, and alaises for Wikipedia. Aside from these errors in the event logs, I haven't had any connectivity issues. I'm just going to be uneasy until I find out exactly what's happening here.


Maybe you can post only the DNS-related part of ipconfig /all? Or send me a private message.

Anyway, if nslookup give a "server error", it means that you have some problem speaking with your DNS. Please try to change your DNS server using Google's ones (8.8.8.8 and 8.8.4.4.), especially if your current DNS point to your router (so that it behave as a DNS proxy).

Regards.
www.ilsistemista.net - test & bench :)
shodanshok
Gerbil
 
Posts: 25
Joined: Thu May 31, 2012 3:39 am

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Tue Dec 10, 2013 3:06 pm

shodanshok: I'll look at getting you a PM once I'm back home. It doesn't say "error" per se, it says Unknown, and then lists the router IP. I can't remember the last time I went in and actually specified DNS servers on a particular machine though. Probably the dial-up days. So yeah, I guess I've been using the router as a DNS proxy. Never had any issues though, or saw errors until now. Is that something I should be doing?

At this point, I'm about 95% sure that the errors are being caused specifically by the Tech Report site and/or forums. My main concern now is why they're occurring when I can find no reference to them anywhere on the site, and why they never appeared until a couple days ago.
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 470
Joined: Sun Apr 06, 2008 4:46 pm

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Tue Dec 10, 2013 3:37 pm

I'm actually surprised Windows logs DNS failures like this - I would expect to see a lot more of them. I looked at my system logs for anything similar, just for laughs, and I found an entry for www.crawlability.com dated 11/25/2013 (only on my laptop, though).

My guess is that has something to do with AdChoices and some advertiser that Google has you profiled to see - that would be why you see the same hit on two separate computers.
TwistedKestrel
Gerbil Team Leader
 
Posts: 245
Joined: Mon Jan 06, 2003 4:29 pm

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Tue Dec 10, 2013 3:52 pm

TwistedKestrel wrote:I'm actually surprised Windows logs DNS failures like this - I would expect to see a lot more of them. I looked at my system logs for anything similar, just for laughs, and I found an entry for http://www.crawlability.com dated 11/25/2013 (only on my laptop, though).

My guess is that has something to do with AdChoices and some advertiser that Google has you profiled to see - that would be why you see the same hit on two separate computers.

Without breaking any more rules, lets just say that I don't think advertisements are the issue. I'm seeing the same errors on 3 machines now (desktop, clean install laptop, work PC) which should have nothing in common other than visiting TR. I also haven't used a google account in several months now, so I can't see them correlating the same two sites off of wildly different usage models.
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 470
Joined: Sun Apr 06, 2008 4:46 pm

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Tue Dec 10, 2013 4:52 pm

Fair enough.

(I want to ask you about your Xonar Essence - I use a pair of Sennheiser 558's and have been thinking about picking up an Essence ST + H6. Is there a better place for that? :P)
TwistedKestrel
Gerbil Team Leader
 
Posts: 245
Joined: Mon Jan 06, 2003 4:29 pm

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Tue Dec 10, 2013 5:52 pm

Not really OT but the Russians, oh the Russians:

Dec 10 06:23:47 point sshd[5191]: reverse mapping checking getaddrinfo for 5x167x191x183.dynamic.penza.ertelecom.ru [5.167.191.183] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 10 06:23:47 point sshd[5191]: Failed password for root from 5.167.191.183 port 54584 ssh2
Dec 10 06:23:47 point sshd[5191]: Received disconnect from 5.167.191.183: 11: Goodbye [preauth]

From 6:15 till then. Hilarious. I do love a good netwar but hey it's been a long time. I used to hunt em' down, sus their networks and then tweak em'. Once took 2 C networks off some fools infesting advertising.com and eventually gave then accounts on my machine. The good old days.
Fuji X-E1 Leica Elmar 135 4 XF60mm 2.4 Macro | Zeiss FE 35mm 2.8
http://carnagepro.com
"Everything ... they eat everything, and fear is their bacon bits."
PenGun
Gerbil Elite
 
Posts: 791
Joined: Fri Jun 18, 2004 1:48 pm
Location: BC Canada

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Tue Dec 10, 2013 6:34 pm

TwistedKestrel wrote:I'm actually surprised Windows logs DNS failures like this - I would expect to see a lot more of them. I looked at my system logs for anything similar, just for laughs, and I found an entry for http://www.crawlability.com dated 11/25/2013 (only on my laptop, though).

My guess is that has something to do with AdChoices and some advertiser that Google has you profiled to see - that would be why you see the same hit on two separate computers.


A bit of searching suggests that the crawlability domain is related to a probably defunct SEO company that specialized in in vBulletin sites. The other domain was registered to a UK individual which suggests a small independent car forum... probably running vbulletin. So these domain lookups are probably a hangover from some SEO scheme.

Quite how that worked I've no real idea but I can imagine some kind of system where sites that used this SEO company automatically created links between themselves for search engines to pick up on. Just a guess but do you ever visit sites that run on vBulletin :-?
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2263
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Wed Dec 11, 2013 4:23 am

If you can, try to change your DNS server using Google's ones (8.8.8.8 and 8.8.4.4.) and let me know what happens.

Regards.
www.ilsistemista.net - test & bench :)
shodanshok
Gerbil
 
Posts: 25
Joined: Thu May 31, 2012 3:39 am

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Sat Dec 14, 2013 1:37 am

I can confirm that these errors are 100% caused by something on The Tech Report site. They have occurred on every machine I have tested so far, and only occur while visiting TR and at no other time.


Shodanshok (or anyone else), couple questions:
  • What are the benefits of specifying DNS servers on an individual machine rather than allowing the router to handle this?
  • I have seen others mention using Google's DNS servers in the past. What are the benefits to using Google's DNS servers rather than those automatically detected by the router (from my ISP)?

TwistedKestrel: The Xonar Essence is great. I've been using headphones exclusively for several years now, so it was worth the investment. I found it a little odd that the Standard PCI version of the board is the only model that can make use of that H6 add-on board. Of course, what do you plan to use the H6 for?
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 470
Joined: Sun Apr 06, 2008 4:46 pm

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Wed Dec 18, 2013 7:27 am

The Egg wrote:
  • What are the benefits of specifying DNS servers on an individual machine rather than allowing the router to handle this?
  • I have seen others mention using Google's DNS servers in the past. What are the benefits to using Google's DNS servers rather than those automatically detected by the router (from my ISP)?

As with all things there are pros and cons to specifying DNS rather than relying on the setting supplied by a router (technically the DHCP server, but on most home networks that means the router).
PROS:
- Should be slightly faster (usually by an amount too small to measure) since all your router is doing is relaying the request to someone else so you're cutting out a step.

- Potentially more secure. If we're talking about a laptop that gets used on unsafe wifi networks specifying your DNS servers could protect you from someone trying to direct you to a poisoned DNS server... Imagine you're a hacker, you connect to a coffee shop wifi network and run your own DHCP server that responds faster than the official DHCP server. You can now redirect other users on the wifi to your own compromised servers.

CONS:
- It's more work to manage if you've got a bunch of machines. NB some routers allow you to specify what DNS settings are sent to clients so you can bypass the router completely for DNS while keeping everything easy to manage.

- Some networks require you to use their DNS for various reasons and may even block external DNS servers so again if we're talking about a laptop that's used out and about there is a potential for problems.


The advantages of using Google's DNS servers rather than those your ISP provide really come down to the variability in the quality of the DNS servers run by ISPs. Some are fine, some are hopelessly slow and unreliable. Some hijack domain requests to unregistered domains (usually typos) and send you to pages of advertising. Some even do weak content filtering using DNS.
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2263
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Wed Dec 18, 2013 8:15 am

There's another CON as well:

-Using public DNS servers can break CDN schemes. That is, a lot of webpages these days serve static content from Content Delivery Networks, which are built around putting content servers within your ISP's network. So, you get the dynamic content from a webpage that's served wherever, but static stuff (e.g. pictures) are served to you from a specially-dedicated server that's only a few hops away on your ISP's internal network.

If you use a Public DNS server (like Google's 8.8.8.8 or 8.8.4.4), this can be problematic, because when that public DNS tries to resolve the IP address for "CDN.COM" by asking the associated authoritative name-server for "CDN.COM", that name-server will respond with whatever specially-dedicated server is nearest to that Public DNS, not you, the ultimate user. That's because (currently) they only can know that the public DNS asked for it, not you.

So instead of getting that specially-dedicated content server that's nearest to you and probably within your own ISP's network (fast!), you'll get whatever closest to Google or whatever public DNS you choose (potentially slow!).

Of course, not using the closest CDN server can actually be faster in some cases, because there's no guarantee that your ISP's DNS server is actually close to you either, or that their local CDN isn't overwhelmed or otherwise throttled. That depends on your ISP and that particular CDN in question, though.

Also, this is changing. For instance, since google owns youtube, many users can actually experience a speed-up using google's DNS, as Google has implemented a draft protocol on both sides to work around the resolver issue. They're trying to expand that protocol to the internet at large, but it'll probably take awhile.
Glorious
Darth Gerbil
Gold subscriber
 
 
Posts: 7851
Joined: Tue Aug 27, 2002 6:35 pm

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Wed Dec 18, 2013 9:51 am

The Egg wrote:I can confirm that these errors are 100% caused by something on The Tech Report site. They have occurred on every machine I have tested so far, and only occur while visiting TR and at no other time.

Shodanshok (or anyone else), couple questions:
  • What are the benefits of specifying DNS servers on an individual machine rather than allowing the router to handle this?
  • I have seen others mention using Google's DNS servers in the past. What are the benefits to using Google's DNS servers rather than those automatically detected by the router (from my ISP)?


If the errors are 100% on TR, then the links are somewhere on the website, and something is trying to resolve the links. What browser are you using? Chrome will resolve and cache links on a webpage to enable faster browsing.

The next step is to fire up Wireshark and see what the traffic looks like.

If only one machine is using different DNS servers, that will help determine where the problem lies. Is it the machine or is it the DNS servers.
Flatland_Spider
Gerbil Elite
 
Posts: 851
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Wed Dec 18, 2013 10:28 am

The Egg wrote:Nothing? I'm still getting multiple reports of both DNS errors on both machines. I have never visited either of those websites. If I have some sort of very stealthy malware, I need to take steps. I was hoping someone with more networking knowledge than myself could help give me some info.


The most likely explanation is that one or more advertisers on TR have links to those websites. Neither of them seems to be active; basically it's telling you that it tried to resolve the name and nothing answered.

I see the same messages in my logs, and at one of them appears right after I've visited Tech Report. Not particularly worried about it.
cphite
Gerbil Elite
 
Posts: 557
Joined: Thu Apr 29, 2010 9:28 am

Re: Strange DNS Errors In Windows Logs. Malware?

Postposted on Wed Dec 18, 2013 5:28 pm

Thanks for all the info guys. I think I'd rather stick with the DNS servers from my ISP, as my performance on all counts has been excellent. It sounds like it may be worthwhile to specify my DNS though, at least on the desktop. I generally only use my mobile devices on a handful of secure networks, but since they don't all use the same ISP, I would have to use the Google servers if I specified on those machines. So I'm leaning towards:

  • Specify DNS on desktop (ISP)
  • Leave mobile devices to auto-detect (router)
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 470
Joined: Sun Apr 06, 2008 4:46 pm


Return to General Software

Who is online

Users browsing this forum: No registered users and 3 guests