Skip to content

BSNL’s DNS is corrupted by malware for Google DNS entries

March 12, 2015

I wrote my observations the other day on apparently my router getting infected by malware. But looks like its not the router its BSNL’s DNS servers getting infected by malwares. This could be big and needs to be fixed soon.

I am documenting my observations below:

If I do a DNS lookup of google analytics site, using dynamic DNS setting (meaning BSNL would use any of its DNS servers). I get the IP shown below.

nslookup google-analytics.com
Server: 127.0.1.1
Address: 127.0.1.1#53

Name: google-analytics.com
Address: 195.238.181.169
(Wrong, I’ll explain later)

Instead if I do a lookup using some solid DNS’es like 8.8.8.8 or 8.8.4.4. I get

nslookup google-analytics.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: google-analytics.com
Address: 173.194.36.18
Name: google-analytics.com
Address: 173.194.36.17
Name: google-analytics.com
Address: 173.194.36.16
Name: google-analytics.com
Address: 173.194.36.19
Name: google-analytics.com
Address: 173.194.36.20
(Which is correct result!)

When I did a ‘who is’ on the IP returned by BSNL’s dynamic DNS. It returned a site in Ukraine. See below.

http://who.is/whois-ip/ip-address/195.238.181.169

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘195.238.180.0 – 195.238.183.255’

% Abuse contact for ‘195.238.180.0 – 195.238.183.255’ is ‘support@netassist.ua’

inetnum: 195.238.180.0 – 195.238.183.255
netname: TR-INFOCOM-ISP
descr: ZAT Ternopil INFOCOM
country: UA
org: ORG-TII3-RIPE
admin-c: VK1293-RIPE
tech-c: NS2011-RIPE
status: ASSIGNED PI
mnt-by: TR-INFOCOM-ISP-MNT
mnt-by: RIPE-NCC-END-MNT
mnt-routes: TR-INFOCOM-ISP-MNT
mnt-domains: TR-INFOCOM-ISP-MNT
source: RIPE # Filtered
sponsoring-org: ORG-NL64-RIPE

organisation: ORG-TII3-RIPE
org-name: ZAT Ternopil INFOCOM
org-type: OTHER
descr: Ternopil INFOCOM ISP
address: 4, Chornovola str.,
address: Ternopil, Ukraine
phone: +380 352 255713
abuse-c: AR28979-RIPE
admin-c: VK1293-RIPE
tech-c: NS2011-RIPE
mnt-ref: TR-INFOCOM-ISP-MNT
mnt-by: TR-INFOCOM-ISP-MNT
source: RIPE # Filtered

person: Nikolay Superson
address: Ternopil Infocom
address: 4, V. Chornovola str.
address: 46001 Ternopil Ukraine
phone: +380 352 255713
fax-no: +380 352 255713
nic-hdl: NS2011-RIPE
mnt-by: TR-INFOCOM-ISP-MNT
source: RIPE # Filtered

person: Victor Kakhnych
address: IF-INFOCOM
address: 10a, Nezalezhnosti str.
address: Ivano-Frankivsk
address: 76000 Ukraine
phone: +380 342 527140
nic-hdl: VK1293-RIPE
mnt-by: IFINFOCOM-MNT
source: RIPE # Filtered

% Information related to ‘195.238.181.0/24AS43110’

route: 195.238.181.0/24
descr: AS43110
origin: AS43110
mnt-by: TR-INFOCOM-ISP-MNT
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.78 (DB-3)

So obviously this is very scary. As per some reports, these kinds of MITM malware even ask for passwords to helpless users.

Now I have changed the DNS to 8.8.8.8 and 8.8.4.4. as they are both run by Google. And things should be better.

I will also think of a way to inform the BSNL people, that their DNS’es are compromised.

Advertisements

From → Uncategorized

One Comment
  1. Yes. Another instance in Bangalore:

    $ nslookup google
    Server: 192.168.1.1
    Address: 192.168.1.1#53

    Non-authoritative answer:
    Name: google.Home
    Address: 52.74.158.221

    $ nslookup thiscannotpossiblyexist
    Server: 192.168.1.1
    Address: 192.168.1.1#53

    Non-authoritative answer:
    Name: thiscannotpossiblyexist.Home
    Address: 52.74.158.221

    $ nslookup – 218.248.255.139
    > thiscannotpossiblyexist
    Server: 218.248.255.139
    Address: 218.248.255.139#53

    Non-authoritative answer:
    Name: thiscannotpossiblyexist.Home
    Address: 52.74.158.221

    It is redirecting anything without an FQDN to a server running on Amazon AWS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: