lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: HarrisMC at health.missouri.edu (Harris, Michael C.)
Subject: Mystery DNS Changes

I have laid hands on a machine hit with the Qhosts-1 Trojan 

It drops a replacement hosts file in the $system%\help\ directory
and also makes the registry changes described in the NAI posting
http://vil.nai.com/vil/content/v_100719.htm

DNS detail, hosts file details, captured headers all follow below the signature block 
sorry for the length of message and no I don't have a full capture

Mike 
-------------------------------------------------------------------
Michael C Harris
System Security Analyst - GSEC
University of Missouri Health Center
harrismc@...lth.missouri.edu  KC0PAH
-------------------------------------------------------------------

DNS changed to 
69.57.146.14 
69.57.147.175  

hosts file included the following entries

88.88.88.88 elite 
207.44.194.56 www.google.akadns.net 
207.44.194.56 www.google.com 
207.44.194.56 google.com 
207.44.194.56 www.altavista.com 
207.44.194.56 altavista.com 
207.44.194.56 search.yahoo.com 
207.44.194.56 uk.search.yahoo.com 
207.44.194.56 ca.search.yahoo.com 
207.44.194.56 jp.search.yahoo.com 
207.44.194.56 au.search.yahoo.com 
207.44.194.56 de.search.yahoo.com 
207.44.194.56 search.yahoo.co.jp 
207.44.194.56 www.lycos.de 
207.44.194.56 www.lycos.ca 
207.44.194.56 www.lycos.jp 
207.44.194.56 www.lycos.co.jp 
207.44.194.56 alltheweb.com 
207.44.194.56 web.ask.com 
207.44.194.56 ask.com 
207.44.194.56 www.ask.com 
207.44.194.56 www.teoma.com 
207.44.194.56 search.aol.com 
207.44.194.56 www.looksmart.com 
207.44.194.56 auto.search.msn.com 
207.44.194.56 search.msn.com 
207.44.194.56 ca.search.msn.com 
207.44.194.56 fr.ca.search.msn.com 
207.44.194.56 search.fr.msn.be 
207.44.194.56 search.fr.msn.ch 
207.44.194.56 search.latam.yupimsn.com 
207.44.194.56 search.msn.at 
207.44.194.56 search.msn.be 
207.44.194.56 search.msn.ch 
207.44.194.56 search.msn.co.in 
207.44.194.56 search.msn.co.jp 
207.44.194.56 search.msn.co.kr 
207.44.194.56 search.msn.com.br 
207.44.194.56 search.msn.com.hk 
207.44.194.56 search.msn.com.my 
207.44.194.56 search.msn.com.sg 
207.44.194.56 search.msn.com.tw 
207.44.194.56 search.msn.co.za 
207.44.194.56 search.msn.de 
207.44.194.56 search.msn.dk 
207.44.194.56 search.msn.es 
207.44.194.56 search.msn.fi 
207.44.194.56 search.msn.fr 
207.44.194.56 search.msn.it 
207.44.194.56 search.msn.nl 
207.44.194.56 search.msn.no 
207.44.194.56 search.msn.se 
207.44.194.56 search.ninemsn.com.au 
207.44.194.56 search.t1msn.com.mx 
207.44.194.56 search.xtramsn.co.nz 
207.44.194.56 search.yupimsn.com 
207.44.194.56 uk.search.msn.com 
207.44.194.56 search.lycos.com 
207.44.194.56 www.lycos.com 
207.44.194.56 www.google.ca 
207.44.194.56 google.ca 
207.44.194.56 www.google.uk 
207.44.194.56 www.google.co.uk 
207.44.194.56 www.google.com.au 
207.44.194.56 www.google.co.jp 
207.44.194.56 www.google.jp 
207.44.194.56 www.google.at 
207.44.194.56 www.google.be 
207.44.194.56 www.google.ch 
207.44.194.56 www.google.de 
207.44.194.56 www.google.se 
207.44.194.56 www.google.dk 
207.44.194.56 www.google.fi 
207.44.194.56 www.google.fr 
207.44.194.56 www.google.com.gr 
207.44.194.56 www.google.com.hk 
207.44.194.56 www.google.ie 
207.44.194.56 www.google.co.il 
207.44.194.56 www.google.it 
207.44.194.56 www.google.co.kr 
207.44.194.56 www.google.com.mx 
207.44.194.56 www.google.nl 
207.44.194.56 www.google.co.nz 
207.44.194.56 www.google.pl 
207.44.194.56 www.google.pt 
207.44.194.56 www.google.com.ru 
207.44.194.56 www.google.com.sg 
207.44.194.56 www.google.co.th 
207.44.194.56 www.google.com.tr 
207.44.194.56 www.google.com.tw 
207.44.194.56 go.google.com 
207.44.194.56 google.at 
207.44.194.56 google.be 
207.44.194.56 google.de 
207.44.194.56 google.dk 
207.44.194.56 google.fi 
207.44.194.56 google.fr 
207.44.194.56 google.com.hk 
207.44.194.56 google.ie 
207.44.194.56 google.co.il 
207.44.194.56 google.it 
207.44.194.56 google.co.kr 
207.44.194.56 google.com.mx 
207.44.194.56 google.nl 
207.44.194.56 google.co.nz 
207.44.194.56 google.pl 
207.44.194.56 google.com.ru 
207.44.194.56 google.com.sg 
207.44.194.56 www.hotbot.com 
207.44.194.56 hotbot.com 

sample headers 
2003/10/01-16:54:05.242697 161.130.204.xxx.2306 > 207.44.220.30.http: S 22870760:22870760(0) win 8192  (DF)
2003/10/01-16:54:05.281848 207.44.220.30.http > 161.130.204.xxx.2306: S 1904832103:1904832103(0) ack 22870761 win 5840  (DF)
2003/10/01-16:54:05.282723 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904832104 win 8760 (DF)
2003/10/01-16:54:05.283772 161.130.204.xxx.2306 > 207.44.220.30.http: P 22870761:22871132(371) ack 1904832104 win 8760 (DF)
2003/10/01-16:54:05.326527 207.44.220.30.http > 161.130.204.xxx.2306: . ack 22871132 win 6432 (DF)
2003/10/01-16:54:05.328614 207.44.220.30.http > 161.130.204.xxx.2306: . 1904832104:1904833564(1460) ack 22871132 win 6432 (DF)
2003/10/01-16:54:05.329041 207.44.220.30.http > 161.130.204.xxx.2306: . 1904833564:1904835024(1460) ack 22871132 win 6432 (DF)
2003/10/01-16:54:05.330076 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904835024 win 8760 (DF)
2003/10/01-16:54:05.372888 207.44.220.30.http > 161.130.204.xxx.2306: P 1904835024:1904836392(1368) ack 22871132 win 6432 (DF)
2003/10/01-16:54:05.446322 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871132:22871449(317) ack 1904836392 win 7392 (DF)
2003/10/01-16:54:05.487111 207.44.220.30.http > 161.130.204.xxx.2306: . 1904836392:1904837852(1460) ack 22871449 win 7504 (DF)
2003/10/01-16:54:05.487281 207.44.220.30.http > 161.130.204.xxx.2306: . 1904837852:1904839312(1460) ack 22871449 win 7504 (DF)
2003/10/01-16:54:05.487542 207.44.220.30.http > 161.130.204.xxx.2306: . 1904839312:1904840772(1460) ack 22871449 win 7504 (DF)
2003/10/01-16:54:05.488322 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904839312 win 8760 (DF)
2003/10/01-16:54:05.526875 207.44.220.30.http > 161.130.204.xxx.2306: P 1904840772:1904842232(1460) ack 22871449 win 7504 (DF)
2003/10/01-16:54:05.527184 207.44.220.30.http > 161.130.204.xxx.2306: . 1904842232:1904843692(1460) ack 22871449 win 7504 (DF)
2003/10/01-16:54:05.527370 207.44.220.30.http > 161.130.204.xxx.2306: . 1904843692:1904845152(1460) ack 22871449 win 7504 (DF)
2003/10/01-16:54:05.528025 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904842232 win 8760 (DF)
2003/10/01-16:54:05.528382 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845152 win 8760 (DF)
2003/10/01-16:54:05.571528 207.44.220.30.http > 161.130.204.xxx.2306: P 1904845152:1904845237(85) ack 22871449 win 7504 (DF)
2003/10/01-16:54:05.750111 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845237 win 8675 (DF)
2003/10/01-16:54:16.288182 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871449:22871911(462) ack 1904845237 win 8675 (DF)
2003/10/01-16:54:16.329439 207.44.220.30.http > 161.130.204.xxx.2306: . 1904845237:1904846697(1460) ack 22871911 win 8576 (DF)
2003/10/01-16:54:16.329929 207.44.220.30.http > 161.130.204.xxx.2306: . 1904846697:1904848157(1460) ack 22871911 win 8576 (DF)
2003/10/01-16:54:16.330970 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848157 win 8760 (DF)
2003/10/01-16:54:16.370436 207.44.220.30.http > 161.130.204.xxx.2306: P 1904848157:1904848507(350) ack 22871911 win 8576 (DF)
2003/10/01-16:54:16.548259 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848507 win 8410 (DF)
2003/10/01-16:54:31.778347 207.44.220.30.http > 161.130.204.xxx.2306: F 1904848507:1904848507(0) ack 22871911 win 8576 (DF)
2003/10/01-16:54:31.779090 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848508 win 8410 (DF)
2003/10/01-16:54:33.545827 161.130.204.xxx.2306 > 207.44.220.30.http: R 22871911:22871911(0) win 0 (DF)






-----Original Message-----
From: David Vincent [mailto:david.vincent@...htyoaks.com]
Sent: Wednesday, October 01, 2003 5:01 PM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Mystery DNS Changes


it was said....

------------------
We have seen multiple instances where DHCP enabled workstations have had 
their DNS reconfigured to point to two of the three addresses listed 
below. Can anyone else confirm this? Incidents.org is reporting an 
increase in port 53 traffic over the last two days. Are we looking at 
the precursor to the next worm? 
216.127.92.38 
69.57.146.14 
69.57.147.175 

Are these entries coming in the DHCP packets or are they being 
set *after* DHCP is complete?  Are compromised systems acting 
like DHCP servers stuffing their own DNS entries into 
specially crafted replies? 
Can you post traffic dumps? 
------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ