| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6130FAF67D15D411BF7100E01899071F865EA3@stork.mightyoaks.local>
From: david.vincent at mightyoaks.com (David Vincent)
Subject: Mystery DNS Changes
it was said....
------------------
We have seen multiple instances where DHCP enabled workstations have had
their DNS reconfigured to point to two of the three addresses listed
below. Can anyone else confirm this? Incidents.org is reporting an
increase in port 53 traffic over the last two days. Are we looking at
the precursor to the next worm?
216.127.92.38
69.57.146.14
69.57.147.175
Are these entries coming in the DHCP packets or are they being
set *after* DHCP is complete? Are compromised systems acting
like DHCP servers stuffing their own DNS entries into
specially crafted replies?
Can you post traffic dumps?
------------------
check here:
http://isc.sans.org/diary.html?date=2003-10-01
------------------
DNS abnormalitities
As initially posted to the SANS intrustions list, some sites observe an
increase in abnormal DNS queries. For the original post, see
http://cert.uni-stuttgart.de/archive/intrusions/2003/10/msg00003.html
A likely related issue has been reported to NT Bugtraq:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=ntbugtraq&D=0
&F=P&P=1048
Here, a user reported that "Various Windows 2000 professional workstations
are changing the DNS servers they are configured to use". The new DNS
server, 216.127.92.38 and 69.51.146.14, is hosted by 'Everyone's Internet
Inc.', (ev1.com).
This user did report suspicous changes to the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
"T2"=dword:3e057410
"LeaseTerminatesTime"=dword:3e067130
"LeaseObtainedTime"=dword:3dfe8830
"T1"=dword:3e027cb0
"NameServer"="69.57.146.14"
for more details, see this NT Bugtraq post:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=ntbugtraq&D=0
&F=P&P=1879
------
If you would like to share any related logs, please send them to
isc_AT_sans.org
------------------
...and someone else on NTBugTraq said...
------------------
The top DNS server change was made by a newer variant of the
Delude/Startpage trojan. It used to add bogus entries in the
system32\drivers\etc\hosts file, but lately has begun to change the
user's DNS registry settings as well. It hijacks the user's traffic to
and from major search engines, redirecting it to a single webserver
under the control of the trojan author. Any requested search pages have
popup ads for gambling/porn site registration, presumably because the
trojan author is getting money for registrations via affiliate
programs.
It is being installed via the MS03-032 IE object tag exploit. A scan of
the system may not turn up any infected files - this trojan does not
run at startup, and deletes its files after the DNS/hosts configuration
changes are complete.
------------------
-d
Powered by blists - more mailing lists