PDA

View Full Version : Redirects via "jupk.com"


terryJones
1st Dec 2006, 22:15
For info only now.
I have just recovered from a couple of days where by calls to such innocent places as GoogleUK finished up at some porn site or other unwanted locales.
It turned out that this 'Bug' had altered the DNS setting in Network Connections
The cure was quite simple.
'Settings/Control panel/Network Connections/'Right click' Internet conection/ Properties/Networking/ Double click TCP/IP and ensure that "Obtain DNS Server Address Automatically" IS SELECTED
Hope his make sense to anyone who may need it.

Saab Dastard
1st Dec 2006, 22:53
TJ,

I assume that the DNS server address(es) had been altered to a specific IP address - I don't suppose you recorded it, by any chance?

This is what a ping reveals:

dns.jupk.com [209.85.51.47]

SD

terryJones
1st Dec 2006, 23:44
Saab.
The exact numbers I cannot recall, but "who is" shows it as part of the RIPE Network in Amsterdam.
They were in the order of 85.xx.xx.xx
Terry.

cargosales
2nd Dec 2006, 10:09
Thank God for Pprune!

I've been getting this problem / am in the middle of trying to sort it out. Assuming it's the same thing - a pale blue screen with 'find something interesting' in the top left corner and a bunch of links, many adult, in nature. And a pic of of a pretty, clothed female.

The IP addresses in the TCP/IP boxes are 85 255 114 20 and 85 255 112 175. Is there a specific way to block these addresses then?

BOAC
2nd Dec 2006, 11:56
Both addresses resolve to

inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
remarks: -----------------------------------
remarks: Abuse notifications to: http://img.domaintools.com/email.pgif?md5=46ab224b1772e81c871eebee6653ee5a (http://whois.domaintools.com/domain-privacy/)
remarks: Network problems to: http://img.domaintools.com/email.pgif?md5=2892c0e986e62017fedfc3e22d578916 (http://whois.domaintools.com/domain-privacy/)
remarks: Peering requests to: http://img.domaintools.com/email.pgif?md5=03a02c3f4434ee8e019d994d8c1a3c17 (http://whois.domaintools.com/domain-privacy/)
remarks: -----------------------------------
country: UA
org: ORG-EST1-RIPE
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
tech-c: FWHS1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: RECIT-MNT
mnt-routes: RECIT-MNT
mnt-domains: RECIT-MNT
mnt-by: DAV-MNT
mnt-routes: DAV-MNT
mnt-domains: DAV-MNT
source: RIPE # Filtered

organisation: ORG-EST1-RIPE
org-name: INHOSTER
org-type: NON-REGISTRY
remarks: *************************************
remarks: * Abuse contacts: http://img.domaintools.com/email.pgif?md5=46ab224b1772e81c871eebee6653ee5a (http://whois.domaintools.com/domain-privacy/) *
remarks: *************************************
address: OOO Inhoster
address: Poltavskij Shliax 24, Xarkov,
address: 61000, Ukraine
phone: +38 066 4633621
e-mail: http://img.domaintools.com/email.pgif?md5=49d675911a765d81d314580ae3b1f2a8 (http://whois.domaintools.com/domain-privacy/)
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
mnt-ref: DAV-MNT
mnt-by: DAV-MNT
source: RIPE # Filtered

person: Andrei Kislizin
address: OOO Inhoster,
address: ul.Antonova 5, Kiev,
address: 03186, Ukraine
phone: +38 044 2404332
nic-hdl: AK4026-RIPE
source: RIPE # Filtered

person: Fast Web Hosting Support
address: 01110, Ukraine, Kiev, 20 , Solomenskaya street. room 201.
address: UA
phone: +35 79 91 17 759
e-mail: http://img.domaintools.com/email.pgif?md5=dc1b4a70c503180e66bba16cc8e3f162 (http://whois.domaintools.com/domain-privacy/)
nic-hdl: FWHS1-RIPE
source: RIPE # Filtered

Saab Dastard
2nd Dec 2006, 15:17
Abuse notifications to: http://img.domaintools.com/email.pgi...1eebee6653ee5a

Chocolate teapot territory!

Here's an interesting piece from Spyware Confidential (http://blogs.zdnet.com/Spyware/wp-mobile.php?p=763&more=1).

SD

Saab Dastard
2nd Dec 2006, 15:41
Is there a specific way to block these addresses then?

In Win XP, there is no obvious and easy way. Windows built-in firewall doesn't allow this sort of IP address filtering - nor does OneCare (say that over and over, you end up saying wa*ker!).

I digress.

Some other software firewalls may allow you to block a source / destination address or address range. I don't know.

Hardware firewalls may allow you to do it - my Netgear firewall doesn't allow IP address ranges (just domain names) to be blocked, but I simply set up a static route, so that the route to 85.255.112.0/20 (the /20 means a 20-bit subnet mask, i.e. 255.255.240.0) is directed by the firewall BACK to my own computer. Similarly for 69.50.160.0/19.

Crude, but effective!

SD

Mac the Knife
2nd Dec 2006, 17:02
"In Win XP, there is no obvious and easy way."

Actually there is - That's what your HOSTS file is there for (not strictly speaking, but you can use it for that).

Rather than me explaining, pop over to http://accs-net.com/hosts/ and read all about it. It ain't difficult and doesn't cost anything.

Use your HOSTS file (which is built into Windows [and Linux]) in combination with eDexter and/or DNSKong and Hostsman from abelhadigital - http://pwp.netcabo.pt/0413933601/abelhadigital/hostsman.html - and you're all set.

And it's all free :ok:

Saab Dastard
2nd Dec 2006, 19:55
Mac,

You are answering the wrong question - the question was "How can I block access to this range of IP addresses", not how can I manage name resolution.

The HOSTS file manages translation of host names into IP addresses, NOTHING ELSE!

It cannot be used to block access to IP addresses BECAUSE IF YOU KNOW THE IP ADDRESS IT IS NOT EVEN CONSULTED!!

With a proper firewall it is simple to write rules to block traffic to / from specific addresses or whole blocks of addresses as in this case; however, Windows isn't a firewall (understatement of the century), and most of the home WAP/Switch/Firewalls don't allow this level of customisation. I'm sure that there are some that allow this - I'm also sure that some of the software firewalls that run on Windows can do this.

I believe that you could write static routes into Windows networking via the command line, and it would be simple to put this into a script that runs whenever you boot, but with more than one device on the network, it makes more sense (and is easier) to put it on the firewall.

SD

Mac the Knife
3rd Dec 2006, 05:10
Oooops! You're right.

What'll teach me to engage brain before speaking :ouch:

As you say, the firewall is the place to block access to specific or ranges of IP addresses.

matt_hooks
4th Dec 2006, 08:59
I use zone alarm which allows blocking of specific IP addresses and/or ranges of addresses. :)

BOAC
4th Dec 2006, 10:08
Which version of ZA is that please?

matt_hooks
4th Dec 2006, 20:27
It's the free version from www.zonelabs.com

info gives

ZoneAlarm version:6.5.737.000
TrueVector version:6.5.737.000
Driver version:6.5.737.000