sysip.net (BT and 121Media)

Does anyone have any cast iron info on BT, 121media and sysip.net?

Information is a bit scant but I really need to know if I have a trojan, if BT dns servers have been comprimised or if BT has done a deal with a media company which redirects dns lookups.

Here's the problem.

On Friday 29-Jun-07 I noticed that firefox would say 'looking up' or 'connecting to' dns.sysip.net on every website I visited. This seemed to be intermittent so I didn't take much notice of it.

Later I googled dns.sysip.net and discovered that in October 2006 it was being used for malware / spyware.

A bit worried I ran virus scans and rootkit scans. Nothing found. I downloaded some specific tools which seemed to give a false positive but all virus scans from four different vendors all report the PC is clean.

A few more recent threads have popped up froum around 25-Jun-07 with the same dns.sysip.net problem. What stood out was this latest clutch of threads are all from BT users.

More interestingly one post made a connection with sysip, BT and 121Media. Allegedly, the code used in a javascript file linked 121media and sysip. A few months ago a press release was announced which said that BT and 121Media had not done a multi million pound deal...

That was a few months ago though so have BT done a deal and is my browser being redirected to sysip?

Today I contacted BT support who state that "they have not been informed" of any kind of link up with 121media. That is not firm proof either way though.

Anyone have any info? So far today the browser has not contacted sysip.net but it could come and go.

There is a possibility this has something to do with an anti-phishing setting within FireFox. You can configure FireFox to check each site to see if it's on a phishing list before visiting it. On my browser this setting is accessed via Edit->Preferences->Security.

If you want you could also change your DNS server settings to the OpenDNS servers but that doesn't seem to be directly related to the issue you have raised.

Can you post the DNS server addresses you are using?

If its a router get them from the status page.

Not sure what is causing this it seems very odd, but if you get me the address I can have a look. So far a quick look on the net finds one thread on Digital spy with some programs even I have not heard of nor would I recommend using another website saying be very afraid and directing you to a forum which you need to register on, nobody registered on bugmenot so I'm not going to bother looking.

I was using the opendns 206.87.222.222 as this does seem to stop the sysip.net lookups.

I have now removed those and set to obtain dns server addresses automatically. Since I did that the dns.sysip.net lookups have started again....

Using Speedtouch330 USB

ipconfig:

****************************************
Description: WAN (PPP/SLIP) Interface
Physical Address: 00-53-xxxxxxxxx
Dhcp Enabled: No
IP Address: 86.149.xx.xx
Subnet Mask: 255.255.255.0
Default Gateway: 86.149.190.8
DNS Servers: 194.72.0.114, 194.74.65.69
NetBIOS over Tcpip: Disabled
****************************************

This affects the whole home network. If I use the settings as above (obtain dns server automatically) any of the network connected PCs indicate 'connecting to dns.sysip.net' when browsing.

As I say, the worrying thing is that none of the PCs are showing any sign of virus, trojan or rootkit. To be honest, I'm bricking it over this as the network PCs I had always presumed were as safe as damn it are used for business transaction processing. I have one PC which has always been secure as best as I could set it and recently I used that to change a lot of passwords and stuff. Now I have doubts and wonder if they are comprimised.

---

If you google for dns.sysip.net locate the techimo,com thread. There was an excellent one there with good advice. One poster appeared and posted his evidence that allegedly BT and their link with 121Media is behind this.

The admin of that board has pulled all threads in relation to sysip.net. I do not know why that is as it was helpful.

If you want to google for that phrase you can dig it up from googles cache of the page.

All speedy replies to this thread are most welcome :-)

john, I don't use firefox anti phising and besides, this is happening with IE too.

Opendns does seem to stop this so I have that set for the moment but I'm not confident with it at all.

I don't think opendns does actually help here at all. Put the settings back in, rebooted, flushedns and I'm now getting the sysip lookups again.

It seems to be intermittent throughout the day.

To my knowledge their is nothing happening between BT and 121media in fact 121media no longer exist. The DNS servers used on a BT Broadband connection are run by BT wholesale and not Retail so again I find this unlikely as Wholesale are virtually independent of Retail. Compromised DNS servers seem likely.

The servers which you have are not the same as what I have got from the DHCP server.

If more people on the forum noticed this please do post the DNS servers which you use and I will look into it. Certainly seems an odd one but I am confident its compromised DNS servers.

I'm on BT Business Total Broadband if that makes a difference.

If this is a compromised DNS at BT end then

a) how do they get to know about it? I did a live chat with support earlier and they didn't know anything about it (although I was angling on the 121media line). Should I try and report this higher up?

b) What's the likelihood that this is only a spyware exploit and that nothing malicious is on my PC?

Apart from the worry this is causing I've lost three days work over this!

Edited by FrankRizzo (Mon 02-Jul-07 15:53:20)

Hmm will have to look at my business line and see! but the DNS servers we use are in the 217 range.

You could just report it to technical helpdesk telling them you think that their DNS has been compromised and giving them the server addresses. You could also try reporting this higher up if you wish.

From reading the posts their is nothing malicious on your PC rather when your PC done the DNS lookup to the server it was injected with code which caused your browser to check the dynsip I presume they are monitoring what you were looking at possibly even more.

Looks like its spyware
follow the instructions here and hopefully you will be rid of it.

Another thing to safeguard against a repeat performance is download and install a modified hosts file from here