Obtaining information about infections on your network
All ISPs are asked to notify their affected customers and encourage remediation. If you run a network and would like information about DNS Changer infected IP’s on your network, please contact one of the organizations listed below. These organizations are making this data available for free as a public benefit. These organizations will verify that you are a responsible contact for the ASN.
DNS Changer infected IP’s are tracked by origin ASN. If you do NOT have your own ASN, do NOT reach out to any of these organizations. Instead, you can quickly test your individual computers and home routers using instructions that can be found at the checkup page.
Organization | How to Contact | |
Shadowserver.org | Go to the ”Get Reports on Your Network” page and follow the instructions to apply for reports. These reports will cover all malware seen by Shadowserver.org | |
Arbor Networks | https://atlas.arbor.net/contact/ (Use web form) | |
Team Cymru | Please e-mail outreach@cymru.com with your organizational affiliation, ASN(s) and/or netblock(s), and request the free DNSChanger infection feed | |
Internet Identity | E-mail to dnschanger_data_request@internetidentity.com to request a feed. |
Identifying infections on your network
Any hosts making DNS requests (udp/tcp packets with destination port 53) to the following rogue nameservers are likely infected and should be scrutinized.
Starting IP | Ending IP | CIDR |
85.255.112.0 | 85.255.127.255 | 85.255.112.0/20 |
67.210.0.0 | 67.210.15.255 | 67.210.0.0/20 |
93.188.160.0 | 93.188.167.255 | 93.188.160.0/21 |
77.67.83.0 | 77.67.83.255 | 77.67.83.0/24 |
213.109.64.0 | 213.109.79.255 | 213.109.64.0/20 |
64.28.176.0 | 64.28.191.255 | 64.28.176.0/20 |