dns.sysip.net scary

Associate
Joined
18 Mar 2003
Posts
1,129
Every site I visit now shows connecting to dns.sysip.net in Firefox status bar.

This don't look good :(

Some threads say this is a dns exploit, some say that BT's dns are comprimised, some say that BT has teamed up with an advertising site.

Either way I can not get rid of it. Apart from totally reinstalling O/S no spyware, av, rootkit scan, cleaner can get rid of this.

I run the scans, flush the dns but everytime the USB modem connects to BTOpenworld it connects dns.sysip.net
 
Last edited:
Go to Start>Run and type in "notepad C:\WINDOWS\system32\drivers\etc\hosts" & post contents here... you might be able to simple remove the entry in there (if there is one) :)
 
There is no entry in there for that location (I use the mvps ad block hosts file anyway).

I did try localhost'ing *sysip.net but the browsers just keep resolving to nothing.
 
Try specifying another DNS server in your router.

Use something like opendns.

That should solve it for the time being.
 
Something still not right. Firewall showing outgoing to

dns.sysip.net [different IP's such as 212.187.177.142, 64.127.103.40]

I'd like to think I've known my stuff over the years, and that I can rectify any exploit. From the first 'something wonderful has happened' on Amigas, all the way through to Melissa and other headline news viruses.

But this is getting more than scary now. When neither avg, microsoft live scan, defender, spybot, lavasoft, hijackthis or rootkit revealer identify an exploit that is the time to worry.

Either I'm losing my touch or this is big.
 
Last edited:
Spent all morning restoring ghost images from a few months ago.

Have been sysip free all afternoon until about 5 minutes ago :(

Really stumped with this one. I haven't a clue why this is happening.

---

Update. Just run a pandasoftware online scan.

So far this has found

2 virus
17 spyware
2 hacking tools and rootkits

Holly cow. How the hell does this software find all that when avg, kapersky, microsoft live do not?
 
Last edited:
Hmm, not so sure on this now.

I think the dodgy stuff it found were tools I had downloaded to identify the specific exploits - like panda was finding fingerprints in the tools themselves.

Each scan I run now is totally clean. But periodically I still get the

connecting to dns.sysip.net when visiting some sites.

I'm beginning to wonder if this is indeed BT using a third party monitoring provider and that I have not had any virus all along.

If that is the case BT is history.
 
FYI: this is now more likely to be a case of a BT DNS server being compromised.

I think the reason why this is not widespread is because I'm on BT business broadband and home users are not affected .... yet :)

If you are on BT just beware of anything unusual in the status bar of your browser (they are all affected). If you see looking up or connecting to sysip you may want to flush your dns cache, reboot and pick up a different DNS PDQ.
 
Frank. Wht are you using that tells you thatt the DNS is sysip? Just interested. :D

Try this:-

1. Clear ALL your cookies, cache, temporary internet files from BOTH IE and Firefox, if you have it.
2. Go to Start > Run, then type ipconfig.exe /flushdns
3. Reset your router to factory defaults
4. Reboot

That -should- fix it, as it seems to be stored in your routers DNS table.
But to be sure keep checking your cookies for any left by dns.sysip.net, or block it from your firewall and see if pages hang.
 
Last edited:
I see the message:

"looking up dns.sysip.net", "connecting to dns.sysip.net" in the browser status window.

As for the flushing - Been, there, done all that :)

If I reboot the PC and pick up a new IP the problem goes away. If I reboot again and get a different IP it may come back. This is IP related and not DNS server because the DNS server stays just about constant with me, and besides I now use opendns servers. But as I say, if I reboot and pick up a new IP I may or may not get this sysip.net thing.

I'm pretty sure this is a problem with something at BT but obviously can not prove this, and I doubt BT would mention "issues of security".

All I know is that only BT users have reported this (latest) issue and here's the ultimate test:

I just bought a brand new disk. In a non network environment I installed genuine XP disk, configured spf firewall, installed speedtouch 330, connected to the internet... ok for about half hour.

After rebooting I got the sysip.net thing again. To me this proves that the problem is down the line and nothing to do with a local trojan or virus.

There is a slim chance that this maybe related to a firefox 2.0.0.4 download. The incidence which happened after the fresh install just so happened after I downloaded 2.0.0.4

I did download that last week too when the problem first started. But that could just be a red herring and my money is still on BT here.

I do hope this is resolved quickly. I've lost four days work over this. It is depressing!
 
Already done those - posted on some of them

The techimo one does not need registration - the admin pulled the thread and all like it for some reason.

Crazy decision IMO. Something is going on out there and it needs discussing.
 
I bought a new boxed PC earlier - preconfigured with Vista, Norton etc.

I'm getting the problem with this NEW PC :(

It did start happening soon after I installed FF 2.0.0.4 so I'm not too sure if this is BT, FF or both.

If anyone has BT, and not yet using FF 2.0.0.4 go try it :D

I'm getting quite paranoid about this. It's not a trojan or exploit on my PC. It is something down the wire. I don't know if I'm being monitored by the feds or something but I feel uneasy with this.

What would you do next?

Move? Change Broadband supplier? I mean, I have totally changed PC and I still get the suspicious activity. What next?
 
Absolutely - a few channels of enquiry going on but they are maintaining radio silence.

IMO some piece of kit has been compromised and is on the lookout for users of Firefox 2.0.0.4.

This would explain why this problem is not (yet) widescale. A block of dynamic IP's and users with FF 2.0.0.4 will get this problem.
 
Back
Top Bottom