Author Topic: Help with Utopia.net  (Read 2632 times)

0 Members and 1 Guest are viewing this topic.

Offline raptoo

  • Newbie
  • *
  • Posts: 2
Help with Utopia.net
« on: September 25, 2019, 05:53:39 PM »
Greetings all,
Just new to Avast. Have free and getting ready to upgrade but really confused.
Will Avast premium just fix this or are there more hoops to jump through?
I have read posts that talk about Malwarebytes, Farbar, MCshield...etc. Really" More downloads/scans.

I have 3 PCs on a home network with Comcast Fiber Optic Gateway router. Desktop and laptop have the DNS hijacked. Tried REGedit to no avail. I have another old laptop that has been OFF for months, upon booting IPconfig shows the hack. Seems that the source it outside the system.

I'm told that Avast premium with just fix this. Correct or naive?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: Help with Utopia.net
« Reply #1 on: September 25, 2019, 06:02:54 PM »
Quote
Will Avast premium just fix this or are there more hoops to jump through?
If free dont then premium will not, and it will not be free ... the help below is free   :D


Follow instructions and attach requested logs  >>  https://forum.avast.com/index.php?topic=194892.0

Programs can be uninstalled when malware expert is finish   ;)



« Last Edit: September 25, 2019, 09:30:05 PM by Pondus »

Offline raptoo

  • Newbie
  • *
  • Posts: 2
Re: Help with Utopia.net
« Reply #2 on: October 12, 2019, 04:55:23 PM »
Here is a follow up of my experience. I hope it helps others...

SOLVED

I strongly believed that there was no software on my machine that caused this. I believed this because the moment I connected other systems that have not been on my network the DNS was immediately hijacked. So, this was coming down the Comcast pipe and the Comcast firewall was not blocking. Why Norton did not block network setting changes I don't know. Maybe it cannot determine valid updates from those that are not valid. Norton did block resulting malicious attacks.

I brought in an IT pro with more magic scour the computer software and they confirmed two connected windows systems were clean.

I sent an email the abuse@comcast.net Subj: "FIREWALL issue" and copied in (not attached) IPCONFIG screen shots and Norton Firewall logs of intrusions.

Miraculously, or not, within 24 hrs Norton detected LAN adapter setting changes and the malicious attacks stopped. Further, IPCONFIG no longer reported UTOPIA and UTOPIA was nowhere to be found in the registry.

In the end, there was nothing I did to cause or clean the problem.

Coincidence?

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 47
Re: Help with Utopia.net
« Reply #3 on: October 13, 2019, 06:41:42 AM »
If you are in Utah, then you have to understand Comcast/XFinity didn't lay out their own fiber lines.  Most of the fiber in Utah is owned, or was owned, by Utopia.  Because sometimes... a lot of times... Comcast doesn't update information coming from the IP WHO IS registry (not the same as your windows registry) or listing, it can show up as Utopia.

I know you marked this as solved but I though it might be owrht letting you know to ease your worry about your other machiens causing the issue.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Help with Utopia.net
« Reply #4 on: October 13, 2019, 05:07:19 PM »
Hi Skilletschool,

You sure are in some form of comcast/utopia predicament, yep, you certainly are out on the cold tiles, there.
Not "America the Great" this time. :o

Dreaded arris TG862 standard Comcast wireless router by the way, then we go - "Oh my greatgrandfathers!".

Again the dreaded Utopia dot net - too bad -> read: https://en.internet.nl/site/utopia.net/626583/
With hackable modems: https://forums.xfinity.com/t5/Your-Home-Network/DPC3941T-Modem-hacked-Utopia-net/td-p/2888703

Browser redirecting malware - read (while forgetting about the Spyhunter advertorial, not using it has valid information beyond that)
https://forums.xfinity.com/t5/Your-Home-Network/DPC3941T-Modem-hacked-Utopia-net/td-p/2888703
A DNS hijack - read: https://www.bleepingcomputer.com/forums/t/647723/utopianet-dns-hijack/

Use CCleaner and AdwCleaner or better even, wait for assistance here from a qualified remover, that is your best option.

Also read: https://answers.microsoft.com/en-us/windows/forum/windows8_1-performance/can-i-remove-cisco-eap-fast-module-cisco-leap/8fc13157-99ec-4215-bc2b-49c03b48b396

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Help with Utopia.net
« Reply #5 on: October 13, 2019, 05:32:36 PM »
Just clicked utopia dot net for a zonemaster report; warnings on detected flaws:
ADDRESS
1   ADDRESS   WARNING   Nameserver -ns63.worldnic.com has an IP address (-207.204.40.132) without PTR configured.
2   ADDRESS   WARNING   Nameserver -ns64.worldnic.com has an IP address (-207.204.21.132) without PTR configured.
CONNECTIVITY
5      CONNECTIVITY   WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (55002).
7      CONNECTIVITY   WARNING   All nameservers in the delegation are in the same AS (55002). 
NAMESERVER
12   NAMESERVER   WARNING   Nameserver -ns64.worldnic.com/-207.204.21.132 accepts an unsupported EDNS version.
13   NAMESERVER   WARNING   Nameserver -ns63.worldnic.com/-207.204.40.132 accepts an unsupported EDNS version.
ZONE (a.k.a. domain)
1   ZONE   NOTICE   SOA 'refresh' value (10800) is less than the recommended minimum (14400).

Re: https://www.shodan.io/host/207.204.40.132 - Consider: https://en.internet.nl/site/defense.net/626608/
no DNSSEC security, no HTTPS security  redirecting to -https://www.f5.com/products/security/silverline/ddos-protection

Retirable jQuery library:
jquery   3.3.1   Found in hXtps://www.f5.com/etc.clientlibs/f5-com/clientlibs/clientlib-base.911db4aeb2e8ad9cf8fa582f1353a67c.js
Vulnerability info:
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

Insecure against snoopers - This website is insecure.
100% of the trackers on this site could be protecting you from NSA snooping. Tell -defense.net to fix it.

 All trackers
At least 4 third parties know you are on this webpage.

 -www.f5.com
 -assets.adobedtm.com
 -consent.trustarc.com
-static.cloud.coveo.com -static.cloud.coveo.com

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
« Last Edit: October 13, 2019, 05:35:02 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 47
Re: Help with Utopia.net
« Reply #6 on: October 13, 2019, 07:56:56 PM »
Utopia Fiber used to use this domain.  I know because I've been on their fiber since 2004.  They no longer use it and have an actual DOT com address.

As well the issue isn't with Utopia Fiber at all.  Its the fact Comcast cant pay for their own fiber lines and Utopia Fiber runs fiber all over Utah (and a few surrounding states area).  Its cheaper to use their lines than ATT lines so Comcast goes with the cheaper option... which is smart.  Again, however, they dont update WHO IS across the lines and AP ranges they purchased from Utopia the the internet registar still has Utopia.Net as the owner.

Utopia, themselves are not actually an ISP, but a NPO Infrastructure that maintains the fiber lines.  They are essentially a co-op for FTTH.  They have done good in Utah, when you ask people not lost in the political lies (not so fond of co-ops here in Utah because the government cant make much money from em).  They are not the monopoly most are, in fact we have about 12 choices for ISP across the fiber where Im at.  In my own city, we have set their functioning up so well that we now have the lowest tax rates concerning business, sales tac, and property tax in the nation (or tie with a few other fiscally responsible cities.  My neighboring city fell for the politics and shut their fiber lines down even though the city still owed a $50 mil bond on it.  They then sold the lines to Google for $1... again, even though the people still held the bond measure and Google didn't pay anything towards the bond.

Anyhow, that's a bit off topic.  Bottom line is I would get the DNS name of Utopia.Net when I had to move to a non-utopia area and had to go with the monopoly of XFinity, but I knew why it was like that so I didn't worry as much as I would have without knowing this..

Unless some malicous organization has bought the domain name and set it up, its just giving those errors because XFinity does the absolute bare minimum as if you are stuck in an area that is Comcast you dont have a choice so what do they care.  That's most likely whats happened here... its only an issue of Comcast/Time Warner/Cox cable laziness.

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 47
Re: Help with Utopia.net
« Reply #7 on: October 13, 2019, 08:01:08 PM »
I just ran the WHO IS on the domain itself and its not owned by anyone person.  Its in the hands of a Hosting Provider, like GoDaddy, called Network Solutions.

Again, this is most likely because all the registar info hasn't been updated by the Cable provider.

(There is more than just the WHO IS for this info but I cant remember it right now.  If anyone else wants to continue the homework and scooby-doo'ing on this, I hope this is a good jumping off point.

https://www.godaddy.com/whois/results.aspx?domain=utopia.net&recaptchaResponse=03AOLTBLRK9HxEEjh9Uo0S55dE3mA8AEb8JjuSm6WuEbXcWystv4xTz0zJfOmVyneA27lm3vzuHCG5ZE0K6_7a2ELD-tqirVn4jOx_08XX6Hpe1GssA1U2ZUaoEAUWxSXy-d_pbMT_xVKi7J4HpMDmz-H95tG__e27jSM7O3xvxP7bDjT3HT5Pq-2vSpUdvbiosaebvKPfnOVGs01IhUMqkN8Ny3OpvX0Ajl2x8OfkBQpF8XSVsJlSFIUNOZupJpcmP7UO9ygT-k-Cf0AKBsn9k2A78cabPioxsY_wn-Za421Mi6K9d8e3fvrfdHyE1OQ7sIECJjgj8bQvyUXvq1gkBp8zCtQxD-3s0IS3HyJOGi9c7EqpV1aR0rn7QrjydFQ90ghOtyiSULG9yRHyQsQfSQsa79YfIpg9iH7E-j2dOsj_VcQgDPTHq7ZWRnWtQozeqXHAVUjspjXnnGEhXlxsCee658K9ApfBmkUwNW2wUktT-1BF9YejLxuVQkRJu9YdWc0y8hrt_3br&isc=gofdb026

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Help with Utopia.net
« Reply #8 on: October 13, 2019, 09:47:56 PM »
Consider: https://www.immuniweb.com/websec/?id=UtvvmgXd

What I see on the tested url -www.f5.com =
-ihealth-api.f5.com
-frog.tom.f5.com
-eft.f5.com  with an F and C grade HTTPS scan.
fingerprinted CMS component is outdated, update to the most recent.
Missing or misconfigured best policy header settings. (info source - immuniweb).

@SkilletSkool, tested that link - nothing on relations -> https://www.virustotal.com/gui/ip-address/23.61.165.70/relations

pol
« Last Edit: October 13, 2019, 10:15:04 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!