lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: tom_gordon at notes.k12.hi.us (tom_gordon@...es.k12.hi.us)
Subject: Mystery DNS Changes

Is that non-disclosure notice on your sig supposed to be a joke?

Tom




Sent by:        full-disclosure-admin@...ts.netsys.com
To:     "'Hansen, Kevin '" <kevin.hansen@...mson.com>, 
"''full-disclosure@...ts.netsys.com' '" <full-disclosure@...ts.netsys.com>
cc: 
Subject:        RE: [Full-Disclosure] Mystery DNS Changes



-----Original Message----- 
From: Hansen, Kevin 
To: 'full-disclosure@...ts.netsys.com' 
Sent: 10/1/03 3:19 PM 
Subject: [Full-Disclosure] Mystery DNS Changes 
We have seen multiple instances where DHCP enabled workstations have had 
their DNS reconfigured to point to two of the three addresses listed 
below. Can anyone else confirm this? Incidents.org is reporting an 
increase in port 53 traffic over the last two days. Are we looking at 
the precursor to the next worm? 
216.127.92.38 
69.57.146.14 
69.57.147.175 


Are these entries coming in the DHCP packets or are they being 
set *after* DHCP is complete?  Are compromised systems acting 
like DHCP servers stuffing their own DNS entries into 
specially crafted replies? 
Can you post traffic dumps? 
Best Regards, 
jpb 
=== 




Note:  The information contained in this message may be privileged and 
confidential and protected from disclosure.  If the reader of this message 
is not the intended recipient, or an employee or agent responsible for 
delivering this message to the intended recipient, you are hereby notified 
that any dissemination, distribution or copying of this communication is 
strictly prohibited.  If you have received this communication in error, 
please notify us immediately by replying to the message and deleting it 
from your computer. Thank you.  ThruPoint, Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ