0
I very rarely log into OpenDNS. Last time I logged in, it informed me that it had blocked attempts to visit a spyware domain, but as I have the free version of OpenDNS and the log was too old, I couldn't see what domain was trying to be accessed. Since it hadn't happened in a number of days, I just ignored it, assuming maybe it was one of roommate's friends with their laptop or something.
Now I just logged in and it informed me that 2 attempts to access "www.dell.at" (DO NOT VISIT) were blocked August 9th. Luckily I logged in and saw it today, because the same issue would've happened, had I logged in tomorrow or later. Nobody else has been here with their laptop around that time, and my network is WPA2 secured, so it has to be one of my computers.
Now the question is, what computer has the botnet? My router is set to route all DNS requests through OpenDNS, so that all 7 computers (and 2 iPods and 1 Android phone and 1 Wii and 1 Xbox and 1 Nintendo DS) are protected and use OpenDNS's great DNS system.
My router is running Tomato, though it's a WRT54GL so I can put DD-WRT or another firmware on it if necessary. I would like your help in figuring out which computer has the botnet spyware.
How can I set my router to inform me somehow when a computer attempts to access www.dell.at? Ideally, it would detect an attempt to resolve that domain and would email me or something with the internal IP address. All of my devices are given static DHCP IP addresses, so I would be able to tell just from the internal IP which device it is.
Also, is this a known botnet/spyware that I can scan for? Three my computers are running Linux, and I guess I can assume my small devices don't have spyware (well, maybe - one of the iPods is jailbroken...) but the other four computers are running Windows 7. Only one computer runs antivirus because I haven't had issues and I consider myself a Super User, keeping my things up to date and obviously not opening anything suspicious (and using Google Chrome, and all of the other things that keep me automatically secure). What is the easiest thing to do in this situation, without going to the trouble of installing antivirus? Can anyone recommend a good scanner that just runs once, maybe a "portable" antivirus or a browser based one?
Also, any theories as to why this thing only tried to access the internet a week ago? All of my computers and devices have been on since then so I would think it would have a more recent date than that. Do you think it's possible that all my computers are clean and it was just an embedded resource in a webpage I visited? This seems the most likely story, except that it's happened multiple times (but I wish I could've seen the domain name the first time).
Ricket
Posted 2010-08-16T17:23:19.270
Reputation: 1 406
You're right! I'm not sure why they blocked it. I just visited the site and OpenDNS did not block me this time, so maybe that false positive was just added in that day and later removed. The question still remains of how it got browsed to from my computers, since I certainly don't visit Austrian sites... But oh well! Thanks for pointing it out :) – Ricket – 2010-08-18T23:03:08.840