Possible Malware? Google searches being routed through CHINA!?

Ok, so I consider myself pretty paranoid about this sort of thing but I just can't find any information about whether this is an actual problem or not.

I use a firefox extension called flagfox, basically a tool that puts a whole bunch of info about a website at your fingertips.

SO I'm browsing google today, and notice a big fat red Chinese flag for my flagfox icon, click on it, and notice the IP is 74.125.70.104, after some research this appears to be legitimate google owned IP range. but on some websites, it's located in china, others as being located in the US.

I don't know what's going on here or why this is happening. I've scanned my computer a couple of different times with MBAM, Avast, and TDSSkiller. This is my only "symptom", but it's a pretty disturbing one. I connected one of my computers directly to a modem and booted to a live USB, but even then when going to 74.125.70.104 I'm getting the Chinese flag, which suggests to me that it has nothing to do with my network (this is assuming that is a legit google IP).

Anyway, I'm just wondering if anyone has any insight into why this is happening. Is it a bug with some of the IP info tools? Do I have a malware infection? I just don't know enough, and googling this yields nothing.

 

You're not alone. It's been doing this, off and on, all day, for me.

 

Sorry to hear you're experiencing it as well, but it's nice to know I'm not the only person on the planet with this problem, as it appeared when I searched about it yesterday.

I've actually blocked the 74.125.70.xx IP range on my router. Google search and services seem to work most/some of the time. Maybe a paranoid thing to do since it seems to be an IP range owned by Google, but until I can figure out why this is happening I'm going to err on the side of caution.

What really boggles my mind is that I can't find any information on this on the web. This leads me to think it's probably a non-issue/recent bug.

 

I noticed this yesterday on my home machine. I immediately thought the worse as well, malware. Ran several checks, but found nothing.

However, not experiencing the same problem at work this morning.

I then added IP check add-ons for firefox and chrome. https://addons.mozilla.org/en-US/firefox/addon/ip-address-and-domain-info/ ; https://chrome.google.com/webstore/...in-inf/lhgkegeccnckoiliokondpaaalbhafoa?hl=en

Using this tool, the server domain/address came out as expected, California, U.S. The IP info using the add-ons do not match what flagfox is showing.

At this point I'm thinking it must be some bug with flagfox. (Finger crossed)

 

Follow-up. Changed my DNS to OpenDNS servers on my router. Now showing USA flag again. Also changed my router password, again.

/CSB

I used to run a Clark-Connect gateway at home, with intrusion detection enabled. I would get slammed 20-30 times a day, all Chinese I.P. addresses. If you think you're not getting probed, you're nuts...

/CSB

 

So for those of us not extremely tech savvy, what to do? Is this a real problem if users have firewall set up and aren't detecting malware?

 

Original Poster here, I can't say for sure if eddiewhite's solution worked, but it's definitely worth a shot.

A DNS, or Domain Name Server, is what translates say for instance "http://forums.majorgeeks.com" into an actual IP address to get to the server.

You're probably using your ISP's DNS servers. Switching to OpenDNS or Google Public DNS won't hurt you, and may speed up your internet a bit if you live in the US. I use Google Public DNS, which is free.

Go Here: https://developers.google.com/speed/public-dns/docs/using

It's actually very easy. If you're on a home network, I recommend changing the settings on a router, but you can do it on your individual computer if you want.


"Is this a real problem if users have firewall set up and aren't detecting malware?"

Yes, and no. In theory what could be happening is that somehow your you DNS is being posioned, and that when you type in "www.google.com" you're actually being directed to a clone on a server in china, that looks and acts just like google... except it's not google. The fact that the IP range seems to be owned by google though makes this unlikely in my mind. Another possibility is that your browser traffic was being hijacked in some other way. Of course, could just be a bug :shrugs:.

Anyway, personally I'm no longer having any problems. I blocked the 74.125.70.xx IP range, reset my router, and changed the password (I was already using Google Public DNS).

What I would recommend:

Reset your router to factory default
Reset password to something other than factory default
Set up Google DNS
Check if you're still getting directed to the 74.125.70.xx IP range (browse a bit to see if you get the Chinese flag)
If you are, update your router firewall to block the 74.125.70.xx IP range.