Your IP:

Our Forums Have Moved!

Visit our new forums at https://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorrichdb
    • CommentTimeSep 16th 2012
     permalink
    Hello,

    I have an issue involving requests showing up in my stats:

    1 http.msg.yahoo.com 21
    2 scs-fooe.yahoo.com 21
    3 scs-foof.yahoo.com 21
    4 scs-fooc.yahoo.com 21
    5 scs-food.yahoo.com 21
    6 scs-foob.yahoo.com 21
    7 shttp.msg.yahoo.com 21
    8 scsb.msg.yahoo.com 21
    9 scs-fooa.yahoo.com 21
    10 scsc.msg.yahoo.com 7
    11 scsa.msg.yahoo.com 7
    12 scs.msg.yahoo.com 7
    13 filetransfer.msg.yahoo.com

    I have turned off and unplugged all devices on my network, including wireless, phones, etc, but left my modem/router connected. These entries still show up each day. The one time I disconnected the router/modem, they did NOT show up. I have been through the settings on the router/modem looking for something that could be making these requests, but found nothing. I have reset it to defaults and had my ip change several times during the process. I don't use any yahoo software. Does anyone have any idea how this could be happening?

    Thanks
    • CommentAuthorrotblitz
    • CommentTimeSep 16th 2012 edited
     permalink
    After some research I found out that these domain names are related to Yahoo IM/Chat/P2P. There seem to be IM/Chat/P2P clients accessing these domains, e.g. Trillian (http://www.trillian.im/):
    http://forums.ceruleanstudios.com/showthread.php?t=48754
    http://web.archive.org/web/20100201181219/http://lists.netfilter.org/pipermail/netfilter/2003-June/045102.html

    It seems someone still connects e.g. via WLAN/WiFi to your network to do some chat or IM on Yahoo. Is your WLAN protected enough?

    Blocking msg.yahoo.com should make the service unusable, so the phantom should stop soon.
    • CommentAuthorbirkita
    • CommentTimeSep 16th 2012
     permalink
    I would agree that it sounds like someone has access to your WLAN, make sure you use a secure password and hide the SSID.
  1.  permalink
    You can filter "Chat" category which might put a stop to this use. You may want to use a better WLAN encryption method, assuming you are using one at all. For example, avoid WEP if possible. Also change your WLAN password (and your router admin password). You can also use MAC filtering (imperfect, but an obstacle that defeats the casual interloper.
    • CommentAuthorrichdb
    • CommentTimeSep 16th 2012
     permalink
    Thanks for your comments.

    I am using a 20 character random numbers letters and symbols password. Using WPA-PSK. I cant imagine someone cracking it. Ive tried myself many times against pen tester cloud password databases(Billions of passwords). Is it possible my ip is being used by someone else? I have noticed other websites I have never been to showing up in my stats also. Like I said, I have removed and shutdown all devices on my network and just left the modem/router on. Only when I pulled the wire from the phone jack did it stop. I guess I could use something like wireshark to track down the issue, but I'm no genius with wireshark. I would like to find out who or what it is before I block it.
  2.  permalink
    If all the activity stops when you disconnect from the internet, then it is coming through your network somewhere. Otherwise, I would suggest making sure your IP is updated without error to your Dashboard.
    • CommentAuthorrichdb
    • CommentTimeSep 17th 2012
     permalink
    Ok, this is nuts. I disabled the wireless and I still have these requests in my stats. Is it possible I'm sharing an ip with someone else? My ip has changed several times since I reset the modem/router. Any ideas?
    • CommentAuthorbirkita
    • CommentTimeSep 17th 2012
     permalink
    "Is it possible I'm sharing an ip with someone else? "

    Unlikely to be the case since you state when you unplugged everything the entries stopped. This of course would not have happened if your IP was shared.
    • CommentAuthormaintenance
    • CommentTimeSep 18th 2012 edited
     permalink
    Is there something checking automatically Yahoo chat or mail in the network? It would again seem unlikely, but did you check your IP is updated without error to your Dashboard? Also: Do you have the time zone set correctly for your stats?
    • CommentAuthorcervezafria
    • CommentTimeSep 18th 2012 edited
     permalink
    Did you check your browsers for BHOs/toolbars/extensions that tie back to Yahoo? You can use the free WinPatrol tool to clean up IE, for example.
    • CommentAuthorrichdb
    • CommentTimeSep 18th 2012
     permalink
    The ip is updating without an issue. I have scanned all machines for malware. Now I'm trying to catch it by scanning the network with Wireshark, but I'm not that great with it.
    • CommentAuthorrichdb
    • CommentTimeSep 20th 2012
     permalink
    Couldn't get anywhere with Wireshark. Really seems like the requests are coming from my router/modem. I can turn off wireless, disconnect all wired machines, and the requests still show up. I will just block them for now, and maybe get a new modem.
  3.  permalink
    Wireshark will only catch packets when it is in a position to do so. It can only capture packets passing through the device on which it is installed.

    If your modem is doing these lookups, check the interface for settings that might do this. It would be a bit odd, but maybe those lookups are done to check for connectivity. Was the modem supplied by an ISP with an association with Yahoo?

    And if you block them, are more than usual requests logged?
    • CommentAuthorrichdb
    • CommentTimeSep 21st 2012
     permalink
    I was trying to use wireshark with a network card that supports promiscuous mode. That way I could see every machines traffic passing through the network.

    The modem did come from an isp, but I have been through it looking for any settings, and found nothing.

    The requests have gotten slightly less since blocking, but I'm still seeing some sites in my stats that no one here has gone to.
    • CommentAuthorrotblitz
    • CommentTimeSep 21st 2012
     permalink
    "I'm still seeing some sites in my stats that no one here has gone to."

    Yeah, that proves nothing, because DNS is not about sites "one here has gone to", but about name resolution out of your whole network, not much to do with browser surfing. The one is so much to do with the other like the phone book with the phone line. DNS is the phone *book*.

    You can add to your trouble if you haven't DNS prefetching disabled...
    • CommentAuthorrichdb
    • CommentTimeOct 2nd 2012
     permalink
    Well, it looks like it was the modem/router after all. I disconnected it and started using another one, the strange requests have completely stopped.

    I never saw anything strange while looking through the settings, but I wonder if it got infected with some type of firmware malware.

This discussion has been inactive for longer than 30 days, and is thus closed.