Announcement

Collapse
No announcement yet.

XP Pro Auto-Creating Static Routes?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • XP Pro Auto-Creating Static Routes?

    Hi All,

    I've observed that, following some internet activity, I have quite a few static routes with full 32-bit masks being added to my routing table.

    THe IP addresses are of the websites I actually access! Eg. If I leave Firefox in Safe-mode with updates turned off, showing about:blank, it periodically probes a couple of google hosts for some /safebrows thing (I assume some sought of phishing mechanism). Those IPs end up being added as static routes.

    Over time they slowly disappear.

    I ran Ad-aware, Malwarebytes' Anti-Malware scans with no results.

    I've currently installed Comodo Av/Fw and Secunia, and done scans, with no results as well.

    I find if I close explorer.exe (shutdown ctrl-shift-alt method), the routes no longer change.

    I've avidly watched the wire using wireshark, with no clues there. NBT, LMHOSTS is switched off on NIC. All other network interfaces are down. Tcpview doesn't shed any light.

    I'm really stuck for direction. I've never seen this behaviour before.

    TIA,
    shaakir
    Last edited by shaakir; 18th June 2009, 00:49. Reason: Further clarification

  • #2
    Re: XP Pro Auto-Creating Static Routes?

    Like now I have this in my routing table, aside ferom the standard:

    72.52.147.187 255.255.255.255 192.168.0.4 192.168.0.2 30

    Which is this web site. .2 is my machine and .4 the gateway.
    Last edited by shaakir; 18th June 2009, 00:53. Reason: Additional remarks

    Comment


    • #3
      Re: XP Pro Auto-Creating Static Routes?

      Sounds normal to me...
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: XP Pro Auto-Creating Static Routes?

        Originally posted by Dumber View Post
        Sounds normal to me...
        Are you coming from an informed perspective?

        Does your machine do the same thing?

        I find it really bizzare ... and I haven't come across any literature suggesting this behaviour.

        Comment


        • #5
          Re: XP Pro Auto-Creating Static Routes?

          Originally posted by shaakir View Post
          Are you coming from an informed perspective?
          .
          Smile when you say that, pardner.....

          Can you tell us a bit more about your network infrastructure, particularly types of switches and routers.

          Is this behaviour on all computers on your LAN or all clients (not servers), or only one machine?
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: XP Pro Auto-Creating Static Routes?

            Originally posted by Ossian View Post
            Smile when you say that, pardner.....
            Sorry if it came across as critical. I intended it as a matter-of-fact.

            Originally posted by Ossian View Post
            Can you tell us a bit more about your network infrastructure, particularly types of switches and routers.

            Is this behaviour on all computers on your LAN or all clients (not servers), or only one machine?
            Code:
               ISP
                |
            nat g/w, dns
            192.168.0.4/24
                |
            Switch 
               |
               |- xp pc, 1x NIC: 192.168.0.2/24
               |
               |- other devices:
                * mac
                * printer
                * VoIP ATA, the occasional Wifi, etc
            Pretty vanilla setup.

            The way that thing behaved - it was like a drunk ARP cache table, with static routes instead, slowly appearing when a host is accessed, and later they go away.

            Right now I've reformatted, and running everything via an SSH terminal (SOCKS/HTTP Proxy with Firefox only), so I can't tell if it's going to do it again, yet.

            I'm too scared to turn NAT back on.
            Last edited by shaakir; 21st June 2009, 11:46. Reason: ASCII Art

            Comment


            • #7
              Re: XP Pro Auto-Creating Static Routes?

              What are the gateway and switch -- makes and models please?
              Is there only one PC on the LAN?
              Have you tried removing everything else and seeing if the problem persists?
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: XP Pro Auto-Creating Static Routes?

                Originally posted by Ossian View Post
                What are the gateway and switch -- makes and models please?
                Is there only one PC on the LAN?
                Have you tried removing everything else and seeing if the problem persists?
                The gw is a custom OpenWRT box. The only other PC on the LAN is a Windows 2k3 Virtual Server on the same machine, running in bridged mode (so it has its own IP, etc and has no bearing on routing tables). There a mac also.

                This is the (standard) routing table as it stands, without any funny entries:

                Code:
                >route print
                ===========================================================================
                Interface List
                0x1 ........................... MS TCP Loopback interface
                0x2 ...<MAC-ADDR> ...... Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller - Packet Scheduler Miniport
                ===========================================================================
                ===========================================================================
                Active Routes:
                Network Destination        Netmask          Gateway       Interface  Metric
                          0.0.0.0          0.0.0.0      192.168.0.4     192.168.0.2       20
                        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
                      192.168.0.0    255.255.255.0      192.168.0.2     192.168.0.2       20
                      192.168.0.2  255.255.255.255        127.0.0.1       127.0.0.1       20
                    192.168.0.255  255.255.255.255      192.168.0.2     192.168.0.2       20
                        224.0.0.0        240.0.0.0      192.168.0.2     192.168.0.2       20
                  255.255.255.255  255.255.255.255      192.168.0.2     192.168.0.2       1
                Default Gateway:       192.168.0.4
                ===========================================================================
                Persistent Routes:
                  None
                I turned NAT back on for a little bit yesterday to see how it will go, with some windows updates downloading, and I middle-clicked folders of bookmarks in firefox to get some traffic going. Eventually there was (only...) one extra entry in the table, for one of the microsoft hosts. I didn't copy it, unfortunately, but I think it was 65.55.11.179, and it would look exactly like what I pasted before for this web site.

                Comment

                Working...
                X