[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F7C0BFC.5040909@jackhammer.org>
From: pdt at jackhammer.org (Paul Tinsley)
Subject: [Snort-sigs] Re: Mystery DNS Changes
Someone brought to my attention that I neglected udp (thank you Adam),
sorry about that I was in a hurry when I posted this, there is another
just like the tcp one that says udp :) Both are being triggered by the
clients affected as one would expect, so for full coverage, do both.
Paul Tinsley wrote:
> Don't know if this will help anybody else but I have added this to all
> my sensors that see internal traffic headed for firewalls:
>
> var MAL_DNS [216.127.92.38/32,69.57.146.14/32,69.57.147.175/32]
> alert tcp any any <> $MAL_DNS 53 (msg:"Malicious DNS Traffic";
> sid:900027; rev:1;)
>
> This along with a rule in my alerting software that alerts once per
> hour per machine that is triggering this alert seems to be working
> pretty well.
>
> Harris, Michael C. wrote:
>
>> I have laid hands on a machine hit with the Qhosts-1 Trojan
>> It drops a replacement hosts file in the $system%\help\ directory
>> and also makes the registry changes described in the NAI posting
>> http://vil.nai.com/vil/content/v_100719.htm
>>
>> DNS detail, hosts file details, captured headers all follow below the
>> signature block sorry for the length of message and no I don't have a
>> full capture
>>
>> Mike -------------------------------------------------------------------
>> Michael C Harris
>> System Security Analyst - GSEC
>> University of Missouri Health Center
>> harrismc@...lth.missouri.edu KC0PAH
>> -------------------------------------------------------------------
>>
>> DNS changed to 69.57.146.14 69.57.147.175
>> hosts file included the following entries
>>
>> 88.88.88.88 elite 207.44.194.56 www.google.akadns.net 207.44.194.56
>> www.google.com 207.44.194.56 google.com 207.44.194.56
>> www.altavista.com 207.44.194.56 altavista.com 207.44.194.56
>> search.yahoo.com 207.44.194.56 uk.search.yahoo.com 207.44.194.56
>> ca.search.yahoo.com 207.44.194.56 jp.search.yahoo.com 207.44.194.56
>> au.search.yahoo.com 207.44.194.56 de.search.yahoo.com 207.44.194.56
>> search.yahoo.co.jp 207.44.194.56 www.lycos.de 207.44.194.56
>> www.lycos.ca 207.44.194.56 www.lycos.jp 207.44.194.56 www.lycos.co.jp
>> 207.44.194.56 alltheweb.com 207.44.194.56 web.ask.com 207.44.194.56
>> ask.com 207.44.194.56 www.ask.com 207.44.194.56 www.teoma.com
>> 207.44.194.56 search.aol.com 207.44.194.56 www.looksmart.com
>> 207.44.194.56 auto.search.msn.com 207.44.194.56 search.msn.com
>> 207.44.194.56 ca.search.msn.com 207.44.194.56 fr.ca.search.msn.com
>> 207.44.194.56 search.fr.msn.be 207.44.194.56 search.fr.msn.ch
>> 207.44.194.56 search.latam.yupimsn.com 207.44.194.56 search.msn.at
>> 207.44.194.56 search.msn.be 207.44.194.56 search.msn.ch 207.44.194.56
>> search.msn.co.in 207.44.194.56 search.msn.co.jp 207.44.194.56
>> search.msn.co.kr 207.44.194.56 search.msn.com.br 207.44.194.56
>> search.msn.com.hk 207.44.194.56 search.msn.com.my 207.44.194.56
>> search.msn.com.sg 207.44.194.56 search.msn.com.tw 207.44.194.56
>> search.msn.co.za 207.44.194.56 search.msn.de 207.44.194.56
>> search.msn.dk 207.44.194.56 search.msn.es 207.44.194.56 search.msn.fi
>> 207.44.194.56 search.msn.fr 207.44.194.56 search.msn.it 207.44.194.56
>> search.msn.nl 207.44.194.56 search.msn.no 207.44.194.56 search.msn.se
>> 207.44.194.56 search.ninemsn.com.au 207.44.194.56 search.t1msn.com.mx
>> 207.44.194.56 search.xtramsn.co.nz 207.44.194.56 search.yupimsn.com
>> 207.44.194.56 uk.search.msn.com 207.44.194.56 search.lycos.com
>> 207.44.194.56 www.lycos.com 207.44.194.56 www.google.ca 207.44.194.56
>> google.ca 207.44.194.56 www.google.uk 207.44.194.56 www.google.co.uk
>> 207.44.194.56 www.google.com.au 207.44.194.56 www.google.co.jp
>> 207.44.194.56 www.google.jp 207.44.194.56 www.google.at 207.44.194.56
>> www.google.be 207.44.194.56 www.google.ch 207.44.194.56 www.google.de
>> 207.44.194.56 www.google.se 207.44.194.56 www.google.dk 207.44.194.56
>> www.google.fi 207.44.194.56 www.google.fr 207.44.194.56
>> www.google.com.gr 207.44.194.56 www.google.com.hk 207.44.194.56
>> www.google.ie 207.44.194.56 www.google.co.il 207.44.194.56
>> www.google.it 207.44.194.56 www.google.co.kr 207.44.194.56
>> www.google.com.mx 207.44.194.56 www.google.nl 207.44.194.56
>> www.google.co.nz 207.44.194.56 www.google.pl 207.44.194.56
>> www.google.pt 207.44.194.56 www.google.com.ru 207.44.194.56
>> www.google.com.sg 207.44.194.56 www.google.co.th 207.44.194.56
>> www.google.com.tr 207.44.194.56 www.google.com.tw 207.44.194.56
>> go.google.com 207.44.194.56 google.at 207.44.194.56 google.be
>> 207.44.194.56 google.de 207.44.194.56 google.dk 207.44.194.56
>> google.fi 207.44.194.56 google.fr 207.44.194.56 google.com.hk
>> 207.44.194.56 google.ie 207.44.194.56 google.co.il 207.44.194.56
>> google.it 207.44.194.56 google.co.kr 207.44.194.56 google.com.mx
>> 207.44.194.56 google.nl 207.44.194.56 google.co.nz 207.44.194.56
>> google.pl 207.44.194.56 google.com.ru 207.44.194.56 google.com.sg
>> 207.44.194.56 www.hotbot.com 207.44.194.56 hotbot.com
>> sample headers 2003/10/01-16:54:05.242697 161.130.204.xxx.2306 >
>> 207.44.220.30.http: S 22870760:22870760(0) win 8192 (DF)
>> 2003/10/01-16:54:05.281848 207.44.220.30.http > 161.130.204.xxx.2306:
>> S 1904832103:1904832103(0) ack 22870761 win 5840 (DF)
>> 2003/10/01-16:54:05.282723 161.130.204.xxx.2306 > 207.44.220.30.http:
>> . ack 1904832104 win 8760 (DF)
>> 2003/10/01-16:54:05.283772 161.130.204.xxx.2306 > 207.44.220.30.http:
>> P 22870761:22871132(371) ack 1904832104 win 8760 (DF)
>> 2003/10/01-16:54:05.326527 207.44.220.30.http > 161.130.204.xxx.2306:
>> . ack 22871132 win 6432 (DF)
>> 2003/10/01-16:54:05.328614 207.44.220.30.http > 161.130.204.xxx.2306:
>> . 1904832104:1904833564(1460) ack 22871132 win 6432 (DF)
>> 2003/10/01-16:54:05.329041 207.44.220.30.http > 161.130.204.xxx.2306:
>> . 1904833564:1904835024(1460) ack 22871132 win 6432 (DF)
>> 2003/10/01-16:54:05.330076 161.130.204.xxx.2306 > 207.44.220.30.http:
>> . ack 1904835024 win 8760 (DF)
>> 2003/10/01-16:54:05.372888 207.44.220.30.http > 161.130.204.xxx.2306:
>> P 1904835024:1904836392(1368) ack 22871132 win 6432 (DF)
>> 2003/10/01-16:54:05.446322 161.130.204.xxx.2306 > 207.44.220.30.http:
>> P 22871132:22871449(317) ack 1904836392 win 7392 (DF)
>> 2003/10/01-16:54:05.487111 207.44.220.30.http > 161.130.204.xxx.2306:
>> . 1904836392:1904837852(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.487281 207.44.220.30.http > 161.130.204.xxx.2306:
>> . 1904837852:1904839312(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.487542 207.44.220.30.http > 161.130.204.xxx.2306:
>> . 1904839312:1904840772(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.488322 161.130.204.xxx.2306 > 207.44.220.30.http:
>> . ack 1904839312 win 8760 (DF)
>> 2003/10/01-16:54:05.526875 207.44.220.30.http > 161.130.204.xxx.2306:
>> P 1904840772:1904842232(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.527184 207.44.220.30.http > 161.130.204.xxx.2306:
>> . 1904842232:1904843692(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.527370 207.44.220.30.http > 161.130.204.xxx.2306:
>> . 1904843692:1904845152(1460) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.528025 161.130.204.xxx.2306 > 207.44.220.30.http:
>> . ack 1904842232 win 8760 (DF)
>> 2003/10/01-16:54:05.528382 161.130.204.xxx.2306 > 207.44.220.30.http:
>> . ack 1904845152 win 8760 (DF)
>> 2003/10/01-16:54:05.571528 207.44.220.30.http > 161.130.204.xxx.2306:
>> P 1904845152:1904845237(85) ack 22871449 win 7504 (DF)
>> 2003/10/01-16:54:05.750111 161.130.204.xxx.2306 > 207.44.220.30.http:
>> . ack 1904845237 win 8675 (DF)
>> 2003/10/01-16:54:16.288182 161.130.204.xxx.2306 > 207.44.220.30.http:
>> P 22871449:22871911(462) ack 1904845237 win 8675 (DF)
>> 2003/10/01-16:54:16.329439 207.44.220.30.http > 161.130.204.xxx.2306:
>> . 1904845237:1904846697(1460) ack 22871911 win 8576 (DF)
>> 2003/10/01-16:54:16.329929 207.44.220.30.http > 161.130.204.xxx.2306:
>> . 1904846697:1904848157(1460) ack 22871911 win 8576 (DF)
>> 2003/10/01-16:54:16.330970 161.130.204.xxx.2306 > 207.44.220.30.http:
>> . ack 1904848157 win 8760 (DF)
>> 2003/10/01-16:54:16.370436 207.44.220.30.http > 161.130.204.xxx.2306:
>> P 1904848157:1904848507(350) ack 22871911 win 8576 (DF)
>> 2003/10/01-16:54:16.548259 161.130.204.xxx.2306 > 207.44.220.30.http:
>> . ack 1904848507 win 8410 (DF)
>> 2003/10/01-16:54:31.778347 207.44.220.30.http > 161.130.204.xxx.2306:
>> F 1904848507:1904848507(0) ack 22871911 win 8576 (DF)
>> 2003/10/01-16:54:31.779090 161.130.204.xxx.2306 > 207.44.220.30.http:
>> . ack 1904848508 win 8410 (DF)
>> 2003/10/01-16:54:33.545827 161.130.204.xxx.2306 > 207.44.220.30.http:
>> R 22871911:22871911(0) win 0 (DF)
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: David Vincent [mailto:david.vincent@...htyoaks.com]
>> Sent: Wednesday, October 01, 2003 5:01 PM
>> To: full-disclosure@...ts.netsys.com
>> Subject: RE: [Full-Disclosure] Mystery DNS Changes
>>
>>
>> it was said....
>>
>> ------------------
>> We have seen multiple instances where DHCP enabled workstations have
>> had their DNS reconfigured to point to two of the three addresses
>> listed below. Can anyone else confirm this? Incidents.org is
>> reporting an increase in port 53 traffic over the last two days. Are
>> we looking at the precursor to the next worm? 216.127.92.38
>> 69.57.146.14 69.57.147.175
>> Are these entries coming in the DHCP packets or are they being set
>> *after* DHCP is complete? Are compromised systems acting like DHCP
>> servers stuffing their own DNS entries into specially crafted
>> replies? Can you post traffic dumps? ------------------
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@...ts.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
Powered by blists - more mailing lists