| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <871080DEC5874D41B4E3AFC5C400611E03F60C03@UTDEVS02.campus.ad.utdallas.edu> From: pauls at utdallas.edu (Schmehl, Paul L) Subject: Mystery DNS Changes -----Original Message----- From: Hansen, Kevin [mailto:kevin.hansen@...mson.com] Sent: Wednesday, October 01, 2003 2:19 PM To: 'full-disclosure@...ts.netsys.com' Subject: [Full-Disclosure] Mystery DNS Changes We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 According to McAfee: This is the QHosts-1 trojan http://vil.nai.com/vil/content/v_100719.htm <http://vil.nai.com/vil/content/v_100719.htm> Paul Schmehl (pauls@...allas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031001/343265f5/attachment.html
Powered by blists - more mailing lists