| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: JBrown at thrupoint.net (Brown, James (Jim)) Subject: Mystery DNS Changes -----Original Message----- From: Hansen, Kevin To: 'full-disclosure@...ts.netsys.com' Sent: 10/1/03 3:19 PM Subject: [Full-Disclosure] Mystery DNS Changes We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 Are these entries coming in the DHCP packets or are they being set *after* DHCP is complete? Are compromised systems acting like DHCP servers stuffing their own DNS entries into specially crafted replies? Can you post traffic dumps? Best Regards, jpb === Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ThruPoint, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031001/3f04b77a/attachment.html
Powered by blists - more mailing lists