dns.sysip.net scary

Frank_Rizzo · 30 Jun 2007 at 16:41

Every site I visit now shows connecting to dns.sysip.net in Firefox status bar.

This don't look good

Some threads say this is a dns exploit, some say that BT's dns are comprimised, some say that BT has teamed up with an advertising site.

Either way I can not get rid of it. Apart from totally reinstalling O/S no spyware, av, rootkit scan, cleaner can get rid of this.

I run the scans, flush the dns but everytime the USB modem connects to BTOpenworld it connects dns.sysip.net

Frank_Rizzo · 30 Jun 2007 at 16:57

There is no entry in there for that location (I use the mvps ad block hosts file anyway).

I did try localhost'ing *sysip.net but the browsers just keep resolving to nothing.

Frank_Rizzo · 30 Jun 2007 at 17:25

opendns - that seems to have done the trick for now....

Frank_Rizzo · 1 Jul 2007 at 01:26

Something still not right. Firewall showing outgoing to

dns.sysip.net [different IP's such as 212.187.177.142, 64.127.103.40]

I'd like to think I've known my stuff over the years, and that I can rectify any exploit. From the first 'something wonderful has happened' on Amigas, all the way through to Melissa and other headline news viruses.

But this is getting more than scary now. When neither avg, microsoft live scan, defender, spybot, lavasoft, hijackthis or rootkit revealer identify an exploit that is the time to worry.

Either I'm losing my touch or this is big.

Frank_Rizzo · 1 Jul 2007 at 17:52

Spent all morning restoring ghost images from a few months ago.

Have been sysip free all afternoon until about 5 minutes ago

Really stumped with this one. I haven't a clue why this is happening.

---

Update. Just run a pandasoftware online scan.

So far this has found

2 virus
17 spyware
2 hacking tools and rootkits

Holly cow. How the hell does this software find all that when avg, kapersky, microsoft live do not?

Frank_Rizzo · 1 Jul 2007 at 21:29

Hmm, not so sure on this now.

I think the dodgy stuff it found were tools I had downloaded to identify the specific exploits - like panda was finding fingerprints in the tools themselves.

Each scan I run now is totally clean. But periodically I still get the

connecting to dns.sysip.net when visiting some sites.

I'm beginning to wonder if this is indeed BT using a third party monitoring provider and that I have not had any virus all along.

If that is the case BT is history.

Frank_Rizzo · 2 Jul 2007 at 20:41

FYI: this is now more likely to be a case of a BT DNS server being compromised.

I think the reason why this is not widespread is because I'm on BT business broadband and home users are not affected .... yet

If you are on BT just beware of anything unusual in the status bar of your browser (they are all affected). If you see looking up or connecting to sysip you may want to flush your dns cache, reboot and pick up a different DNS PDQ.

Frank_Rizzo · 3 Jul 2007 at 19:14

I see the message:

"looking up dns.sysip.net", "connecting to dns.sysip.net" in the browser status window.

As for the flushing - Been, there, done all that

If I reboot the PC and pick up a new IP the problem goes away. If I reboot again and get a different IP it may come back. This is IP related and not DNS server because the DNS server stays just about constant with me, and besides I now use opendns servers. But as I say, if I reboot and pick up a new IP I may or may not get this sysip.net thing.

I'm pretty sure this is a problem with something at BT but obviously can not prove this, and I doubt BT would mention "issues of security".

All I know is that only BT users have reported this (latest) issue and here's the ultimate test:

I just bought a brand new disk. In a non network environment I installed genuine XP disk, configured spf firewall, installed speedtouch 330, connected to the internet... ok for about half hour.

After rebooting I got the sysip.net thing again. To me this proves that the problem is down the line and nothing to do with a local trojan or virus.

There is a slim chance that this maybe related to a firefox 2.0.0.4 download. The incidence which happened after the fresh install just so happened after I downloaded 2.0.0.4

I did download that last week too when the problem first started. But that could just be a red herring and my money is still on BT here.

I do hope this is resolved quickly. I've lost four days work over this. It is depressing!

Frank_Rizzo · 3 Jul 2007 at 23:26

Already done those - posted on some of them

The techimo one does not need registration - the admin pulled the thread and all like it for some reason.

Crazy decision IMO. Something is going on out there and it needs discussing.

Frank_Rizzo · 4 Jul 2007 at 21:45

I bought a new boxed PC earlier - preconfigured with Vista, Norton etc.

I'm getting the problem with this NEW PC

It did start happening soon after I installed FF 2.0.0.4 so I'm not too sure if this is BT, FF or both.

If anyone has BT, and not yet using FF 2.0.0.4 go try it

I'm getting quite paranoid about this. It's not a trojan or exploit on my PC. It is something down the wire. I don't know if I'm being monitored by the feds or something but I feel uneasy with this.

What would you do next?

Move? Change Broadband supplier? I mean, I have totally changed PC and I still get the suspicious activity. What next?

Frank_Rizzo · 4 Jul 2007 at 22:51

Absolutely - a few channels of enquiry going on but they are maintaining radio silence.

IMO some piece of kit has been compromised and is on the lookout for users of Firefox 2.0.0.4.

This would explain why this problem is not (yet) widescale. A block of dynamic IP's and users with FF 2.0.0.4 will get this problem.

Frank_Rizzo · 10 Jul 2007 at 16:26

If anyone is interested BT are admitting that there was an "issue affecting a small number of users last week".

Frank_Rizzo · 25 Feb 2008 at 00:01

Hope you don't mind me digging this old thread up but there is a significant update.

Mail on Sunday reporting a deal with BT and a few other ISPs and 'spyad' company Phorm.

I get the impression that the shenanigans from around July last year were just dry runs to prove to BT the power of user tracking.

I feel totally cheesed off about this as my suspicions have now proven to be true.

It's happening guys - BT and other ISPs are going to use tracking / monitoring technology to monitor users and to spoon feed ads.

Frank_Rizzo · 25 Feb 2008 at 00:09

The MOS article is not online yet but other papers have already covered this within the past few weeks:

Phorm has signed up BT, Carphone Warehouse's TalkTalk and Virgin Media to the service

It gives internet service providers a new revenue stream from their subscriber base and, by offering targeted advertising, ISPs and publishers can charge up to 100 times as much as traditional advertising that is based on content

http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2008/02/15/cnphorm115.xml

Frank_Rizzo · 25 Feb 2008 at 09:16

Who knows. But the company behind Phorm have plenty of 'form'.

You only have to search for

sysip.net

and

peopleonpeople

to see their tactics.

The peopleonpeople campaign was one of the most sneakiest ever. It utilised technology to specifically get around ad blocking / anti-spyware products.

Frank_Rizzo · 4 Jun 2008 at 21:01

Bringing this to the top as a document is available which explains what happened in the 2006 javascript injection trials.

http://nodpi.org/?p=10

"121Media will take action (both technical and in public relations) to avoid any
perception that their system is a virus, malware or spyware and to show that in effect it
is a positive web-development"