full-disclosure - Mystery DNS Changes

lists.openwall.net		lists / announce john-users owl-users popa3d-users / xvendor oss-security / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4
Open Source and information security mailing list archives

This website is powered by Openwall GNU/*/Linux security-enhanced OS

[<prev] [next>] [month] [year] [list]

From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: Mystery DNS Changes

	-----Original Message-----
	From: Hansen, Kevin [mailto:kevin.hansen@...mson.com] 
	Sent: Wednesday, October 01, 2003 2:19 PM
	To: 'full-disclosure@...ts.netsys.com'
	Subject: [Full-Disclosure] Mystery DNS Changes
	
	

	We have seen multiple instances where DHCP enabled workstations
have had their DNS reconfigured to point to two of the three addresses
listed below. Can anyone else confirm this? Incidents.org is reporting
an increase in port 53 traffic over the last two days. Are we looking at
the precursor to the next worm?

	216.127.92.38 
	69.57.146.14 
	69.57.147.175  

	 

	According to McAfee:

	This is the QHosts-1 trojan
http://vil.nai.com/vil/content/v_100719.htm
<http://vil.nai.com/vil/content/v_100719.htm> 

	 

	Paul Schmehl (pauls@...allas.edu)
	Adjunct Information Security Officer
	The University of Texas at Dallas
	AVIEN Founding Member
	http://www.utdallas.edu/~pauls/ 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031001/343265f5/attachment.html