WARNING: to BT users..

[mervaka]

.. and to anyone else for that.

if you see dns.sysip.net in your status bar, be very afraid.

http://www.techimo.com/forum/showthread.php?t=188184

[Backstaber]

So, if it doesn't say "Done" at the bottom, you have it? I have no idea what they are talking about, unless there is a pic somewhere or something.

[skuLL]

Is this in Brazil already?


Seems to affect only American ISP's

@edit: I read in that thread that a guy has been getting constant disconnects by this..
Now this is happening to me, any chance to be this?

[A drunken retard]

[Edited]

[Backstaber]

BT is British Telecommunications, right?
If so, I don't have to worry about it since I'm in the US, right?

[FrenchToast]

I was going for bit torrent.

[skuLL]

Quote:

Originally Posted by FrenchToast

I was going for bit torrent.

Me too.


Oh fuck...

[Backstaber]

Aight, I don't ever use bit torrent so I wouldn't know.

[mervaka]

Quote:

Originally Posted by Backstaber

Aight, I don't ever use bit torrent so I wouldn't know.

eh? its a java/dns based thing.. by BT i mean british telecom.

[Backstaber]

So I was right. I'll watch out for it.

[mervaka]

i think this code comes into play:

Code:

<html>
  <head>
    <noscript><meta http-equiv="Refresh" content="0; URL=http://dns.sysip.net/services/nojscript?orig=http%3A%2F%2Fwww.youtube.com%2Fbrowse%3Fs%3Dmp&request-id=1182995443_981191"/></noscript>
    <script type="text/javascript" src="http://dns.sysip.net/services/bind?request-id=1182995443_981191"></script>
    <script type="text/javascript">
    try {
      var domain = location.hostname, cookie_str = "ps-uid=" + UID;
      if (!domain.match(/^(\d{1,3}\.){3}(\d{1,3})$/)) {
        var h = domain.split("."), l = h.length;
        if (l >= 2) {
          domain = "." + h[l - 2] + "." + h[l - 1];
          if (l >= 3 && (h[l - 2] == "com" || h[l - 2].length < 3))
            domain = "." + h[l - 3] + domain;
        }
        cookie_str += "; domain=" + domain;
      }

      var d = new Date();
      if (UID != "OPTED_OUT") {
        d.setTime(d.getTime() + 1000 * 60 * 60 * 24 * 3);
      } else {
        // set to 4 hours
        d.setTime(d.getTime() + 1000 * 60 * 60 * 4);
      }

      cookie_str += "; path=/; expires=" + d.toGMTString();
      document.cookie = cookie_str;
    } catch(e) { }
    window.location = "http://www.youtube.com/browse?s=mp";
    </script>
  </head>
  <noscript><iframe src="http://dns.sysip.net/services/frame?orig=http%3A%2F%2Fwww.youtube.com%2Fbrowse%3Fs%3Dmp&request-id=1182995443_981191" width="1px" height="1px" style="visibility:hidden;"></iframe></noscript>
</html>

[Fail]

I don't get it. It's a computer virus that is activated by javascript?

[Leandros]

Common Sense Antivirus 2007 has not failed me yet 8D

[mervaka]

Quote:

Originally Posted by Leandros

Common Sense Antivirus 2007 has not failed me yet 8D

all well and good saying that. the root of the problem isnt with a lack of common sense on my part, but my ISP's. ever heard of DNS cache poisoning?

[Lost]

Man, thats some sophisticated shit, only a few of the people attacked would have any idea of what to look for, much less where to look. I don't think I'll be using Trendmicro any more.

[mervaka]

okay, so i put my old router back in, and told it to block and log anything outgoing to sysip.net.... the results were interesting, and mostly looked like this:

Sun, 2002-09-08 15:47:11 - TCP Packet - Source:192.168.0.3,38851 Destination:64.127.103.40,80 - [BLOCK]

that IP is aparently based in Kirkland, WA

[mervaka]

okay so i think i've extinguised this whole thing..

i had to disconnect any windows based machines from the network, flush the router's dns cache, flush the windows machines' caches, clear all the information held in any installation of firefox or IE on all the machines, then start everything back up using a different dns server. so far so good...

[Backstaber]

Thats good Mervaka. Keep us posted.

[mervaka]

Quote:

Originally Posted by Backstaber

Thats good Mervaka. Keep us posted.

nope, its still here it seems. i tried posting a myspace bulletin, and instead of putting the link i wanted in a hyperlink, it replaced the url with something from msplinks.com, so i assume this is how it spreads.

EDIT: nevermind, i just whoised it, and msplinks.com is owned by myspace... DUH

[Backstaber]

You have windows? Try a System Restore and maybe it might fix it, unless you've already done that or someone else said it won't work.