PDA

View Full Version : [ubuntu] router/dns/host problem?



notstevek
September 6th, 2010, 04:42 AM
I've been having a weird time with my Internet lately, I don't know what's wrong so here's what it does.

Sometime Google returns a 'It works!' page. (Like an apache page)
If I visit a page, I'll get redirected to another page, same with an image.
Pages just wont load, videos, images etc.

Ubuntu 10.04 x64

I'm on wireless, it's a linksys WUSB54GSC v1.
-(Can't go Ethernet, and my PCI slot or cards do not work)

Firestarter is installed, my router is on low.

Ubuntu picked it right up on Livecd / installation.

People are saying it's my DNS, router or hosts file.

Attachment '1.png' was 10 minutes ago.
Did nothing different and it fixed itself.
Attachment '2.png' shows that it works now.

This happens on and off daily.

BkkBonanza
September 6th, 2010, 05:12 AM
Assuming you didn't type in two different addresses then you are getting redirects it seems. This may be caused by someone messing with your network DNS or even by filtering your traffic.

If you are using unsecured wifi then this is very easy for some hacker in your area to do. By "unsecured" I mean anything less than WPA/WPA2 encryption.

Until this is resolved do not enter any login/passwords or cc details at any site.

To make sure you don't have local mis-configuration post the output of these commands,

cat /etc/hosts
cat /etc/resolv.conf

notstevek
September 6th, 2010, 05:29 AM
Assuming you didn't type in two different addresses then you are getting redirects it seems. This may be caused by someone messing with your network DNS or even by filtering your traffic.

If you are using unsecured wifi then this is very easy for some hacker in your area to do. By "unsecured" I mean anything less than WPA/WPA2 encryption.

Until this is resolved do not enter any login/passwords or cc details at any site.

To make sure you don't have local mis-configuration post the output of these commands,

cat /etc/hosts
cat /etc/resolv.conf

Correct, when I wrote distrowatch.org/ubuntu manually, it brought me to that url in the second picture. :P

Wifi is WEP, and only people on my network are the ones in my house.


127.0.0.1 localhost
127.0.1.1 steve-ubuntu

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

# Generated by NetworkManager
domain domain_not_set.invalid
search domain_not_set.invalid
nameserver 192.168.1.1
nameserver 71.250.0.12

edit: on a proxy now, ubuntuforums.org was getting redirected now as well.. had to upload picture on tinypic for some reason.. forums wouldn't let me attach the picture.

lol this is crazy.. no one else has this problem, not even me on windows.. so i don't think it's my network being messed with.

http://i52.tinypic.com/wvdfs7.png

BkkBonanza
September 6th, 2010, 05:58 AM
Try changing both your nameserver lines to 8.8.8.8 and 8.8.4.4
That's direct to google dns.
This is the second thread today with verizon DNS problems (just noticed the dns ip being the same).

WEP isn't secure, at all.

You can use the arp command to see what mac addresses are in your arp cache to see what machines you have been communciating with. If they are not the ones for your house then your neighbors may be hijacking. With a cantenna they can be two blocks away.

notstevek
September 6th, 2010, 06:12 AM
Try changing both your nameserver lines to 8.8.8.8 and 8.8.4.4
That's direct to google dns.
This is the second thread today with verizon DNS problems (just noticed the dns ip being the same).

WEP isn't secure, at all.

You can use the arp command to see what mac addresses are in your arp cache to see what machines you have been communciating with. If they are not the ones for your house then your neighbors may be hijacking. With a cantenna they can be two blocks away.

arp is just showing me 'dslmodem.domain'

and I put my nameserver lines to those in my resolv.conf correct?

after that and restarting my connection still redirecting me to weird ****, google.com goes to canonical store.

BkkBonanza
September 6th, 2010, 06:21 AM
Well, too weird.

The important part of the arp output is the ether address (MAC) and to make sure it matches your real router (usually marked on the case label). If not then you are connecting to a rogue access point.

It's pretty unlikely but who knows - you're getting weird stuff.

Yes, in resolv.conf but no need to restart. It takes effect right away.

Hmmm.

You should also check your router to make sure someone ddidn't get in and muck it up - though that should affect everyone on the LAN.

There is another thread open here from a guy having problems with the same exact verizon dns server as yours. Perhaps verizon netowrk issues? It was only affecting linux as well for him. And I guessed that maybe they were trying out DNSEC upgrades that affect DNS packet size limits, and some packets get truncated. But that was just a guess since some providers are doing DNSSEC upgrades and there are known udp pkt size issues. But using an alternate dns server should bypass that. Unless there are other issues.

What do you get from a traceroute 8.8.8.8 or perhaps,
traceroute ubuntuforums.org?

notstevek
September 6th, 2010, 06:29 AM
Well, too weird.

The important part of the arp output is the ether address (MAC) and to make sure it matches your real router (usually marked on the case label). If not then you are connecting to a rogue access point.

It's pretty unlikely but who knows - you're getting weird stuff.

Yes, in resolv.conf but no need to restart. It takes effect right away.

Hmmm.

You should also check your router to make sure someone ddidn't get in and muck it up -
though that should affect everyone on the LAN.

Now it's not messing up on google's dns, as far as I can tell.

My router is the same exact MAC address showing in arp except for the last letter.

and yes, no one else is getting affect (at least with this problem) and I wasn't either in windows (when it was installed).

traceroute for ubuntuforums.org comes up as
hop hostname ip
1 192.168.1.65 192.168.1.65
1 no reply
then to 31 it does no reply

BkkBonanza
September 6th, 2010, 06:38 AM
My router is the same exact MAC address showing in arp except for the last letter.
Hmmm. That is fishy then. It should be identical. If I were going to put a rogue AP near you and try to force association I would choose a MAC that was very similar...



traceroute for ubuntuforums.org comes up as
hop hostname ip
1 192.168.1.65 192.168.1.65
1 no reply
then to 31 it does no reply
This means that ICMP is being blocked. Assuming that is your router IP.
If it's not your normal router IP then it means your traffic is not going to your router...

notstevek
September 6th, 2010, 06:46 AM
Hmmm. That is fishy then. It should be identical. If I were going to put a rogue AP near you and try to force association I would choose a MAC that was very similar...


This means that ICMP is being blocked. Assuming that is your router IP.
If it's not your router then it means your traffic is not going to your router...

Yeah, well that's what I thought too, I had to double check to make sure that was right, and it's the last letter is off.

That's my personal network IP. that traceroute is displaying.

I'm going to reset my router tomorrow, and do mac authentication for the 3 computers, along with a more secure wifi passphrase.

as for the check your router if anyone messed with it, in what sense check it? in my router page, blocked pages etc? or through terminal somehow?

and both other computers (xp, and win7) both have no problems, and as far as to my knowledge no virus', etc, and no one complains of weird happenings or changed passwords etc..

didn't even think someone around here would know how to do that, small town..

BkkBonanza
September 6th, 2010, 06:58 AM
Use WPA/WPA2 on your router (unless not supported), you are wasting your effort with anything else.

MAC address whitelisting means nothing to someone who could do a rogue Ap anyway.

In a small town it's pretty unlikely, I guess. Unless the problem is further up the network or some hacker is hiding out or on vacation and just messing with you.

On your router you would want to check settings for DNS and DHCP and whether external access to admin and control panel is enabled. Also make sure the passsword is strong. You would be suprised how many people leave their routers with the default password and if telnet or ssh access is enabled from the web then anyone in the world can start changing your router config to direct DNS to their own servers. They could configure proxy settings to route traffic elsewhere.

I once bought an SMC router that had telnet enabled by default from the internet. That's simply ridiculous. It's actually negligent of them. Things like this should be checked and corrected.

BTW you could plug your computer in to the router and bypass wifi to test if it makes a difference.

re: traceroute, ya I should have realized that was your own ip. But it should at least have the router also unless the router was set to block ICMP to prevent seeing the route your traffic takes going out. That isn't generally the default, so it's a bit suspicious.

notstevek
September 6th, 2010, 07:03 AM
Use WPA/WPA2 on your router (unless not supported), you are wasting your effort with anything else.

MAC address whitelisting means nothing to someone who could do a rogue Ap anyway.

In a small town it's pretty unlikely, I guess. Unless the problem is further up the network or some hacker is hiding out or on vacation and just messing with you.

On your router you would want to check settings for DNS and DHCP and whether external access to admin and control panel is enabled. Also make sure the passsword is strong. You would be suprised how many people leave their routers with the default password and if telnet or ssh access is enabled from the web then anyone in the world can start changing your router config to direct DNS to their own servers. They could configure proxy settings to route traffic elsewhere.

I once bought an SMC router that had telnet enabled by default from the internet. That's simply ridiculous. It's actually negligent of them. Things like this should be checked and corrected.

BTW you could plug your computer in to the router and bypass wifi to test if it makes a difference.

Can't test it in directly.

But uh, just noticed my router password was reset, to default.
Hmm..

But telenet is disabled, don't see anything for ssh.

DHCP looks fine as well

Thanks for the info, I'll update it tomorrow..

BkkBonanza
September 6th, 2010, 07:08 AM
Ok. Make sure no one on your network enters important info like site login/pwd and credit card info on any site until you fix this up. It sounds more and more like your router was taken over from the internet and until it's secured you cannot trust your connection.

notstevek
September 6th, 2010, 08:20 PM
Reset my modem with it off, turned off wireless, made sure it was verizon stock. set up pppoe. turned on wireless with wpa / broadcast off /mac authentication / different essid

i called them up asking just for my ppoe username/password, and after getting 'admin, admin' i just asked to speak to a manager. there was something of a 'redirect' enabled on my router dunno if that was affecting my problem. verizon support does not reccomend wpa lol he was like you want me to help you set up wep?

anyway after doing all this arp still shows that the dslmodem mac is the last letter off.

the only thing besides the mac address that looks phishy is the gateway ip address, but i'm not sure what it was beforehand..

the output of the two commands are the same.. though no problems so far


127.0.0.1 localhost
127.0.1.1 steve-ubuntu

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
steve@steve-ubuntu:~$


# Generated by NetworkManager
domain domain_not_set.invalid
search domain_not_set.invalid
nameserver 192.168.1.1
nameserver 71.250.0.12