| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: pdt at jackhammer.org (Paul Tinsley) Subject: Mystery DNS Changes Don't know if this will help anybody else but I have added this to all my sensors that see internal traffic headed for firewalls: var MAL_DNS [216.127.92.38/32,69.57.146.14/32,69.57.147.175/32] alert tcp any any <> $MAL_DNS 53 (msg:"Malicious DNS Traffic"; sid:900027; rev:1;) This along with a rule in my alerting software that alerts once per hour per machine that is triggering this alert seems to be working pretty well. Harris, Michael C. wrote: >I have laid hands on a machine hit with the Qhosts-1 Trojan > >It drops a replacement hosts file in the $system%\help\ directory >and also makes the registry changes described in the NAI posting >http://vil.nai.com/vil/content/v_100719.htm > >DNS detail, hosts file details, captured headers all follow below the signature block >sorry for the length of message and no I don't have a full capture > >Mike >------------------------------------------------------------------- >Michael C Harris >System Security Analyst - GSEC >University of Missouri Health Center >harrismc@...lth.missouri.edu KC0PAH >------------------------------------------------------------------- > >DNS changed to >69.57.146.14 >69.57.147.175 > >hosts file included the following entries > >88.88.88.88 elite >207.44.194.56 www.google.akadns.net >207.44.194.56 www.google.com >207.44.194.56 google.com >207.44.194.56 www.altavista.com >207.44.194.56 altavista.com >207.44.194.56 search.yahoo.com >207.44.194.56 uk.search.yahoo.com >207.44.194.56 ca.search.yahoo.com >207.44.194.56 jp.search.yahoo.com >207.44.194.56 au.search.yahoo.com >207.44.194.56 de.search.yahoo.com >207.44.194.56 search.yahoo.co.jp >207.44.194.56 www.lycos.de >207.44.194.56 www.lycos.ca >207.44.194.56 www.lycos.jp >207.44.194.56 www.lycos.co.jp >207.44.194.56 alltheweb.com >207.44.194.56 web.ask.com >207.44.194.56 ask.com >207.44.194.56 www.ask.com >207.44.194.56 www.teoma.com >207.44.194.56 search.aol.com >207.44.194.56 www.looksmart.com >207.44.194.56 auto.search.msn.com >207.44.194.56 search.msn.com >207.44.194.56 ca.search.msn.com >207.44.194.56 fr.ca.search.msn.com >207.44.194.56 search.fr.msn.be >207.44.194.56 search.fr.msn.ch >207.44.194.56 search.latam.yupimsn.com >207.44.194.56 search.msn.at >207.44.194.56 search.msn.be >207.44.194.56 search.msn.ch >207.44.194.56 search.msn.co.in >207.44.194.56 search.msn.co.jp >207.44.194.56 search.msn.co.kr >207.44.194.56 search.msn.com.br >207.44.194.56 search.msn.com.hk >207.44.194.56 search.msn.com.my >207.44.194.56 search.msn.com.sg >207.44.194.56 search.msn.com.tw >207.44.194.56 search.msn.co.za >207.44.194.56 search.msn.de >207.44.194.56 search.msn.dk >207.44.194.56 search.msn.es >207.44.194.56 search.msn.fi >207.44.194.56 search.msn.fr >207.44.194.56 search.msn.it >207.44.194.56 search.msn.nl >207.44.194.56 search.msn.no >207.44.194.56 search.msn.se >207.44.194.56 search.ninemsn.com.au >207.44.194.56 search.t1msn.com.mx >207.44.194.56 search.xtramsn.co.nz >207.44.194.56 search.yupimsn.com >207.44.194.56 uk.search.msn.com >207.44.194.56 search.lycos.com >207.44.194.56 www.lycos.com >207.44.194.56 www.google.ca >207.44.194.56 google.ca >207.44.194.56 www.google.uk >207.44.194.56 www.google.co.uk >207.44.194.56 www.google.com.au >207.44.194.56 www.google.co.jp >207.44.194.56 www.google.jp >207.44.194.56 www.google.at >207.44.194.56 www.google.be >207.44.194.56 www.google.ch >207.44.194.56 www.google.de >207.44.194.56 www.google.se >207.44.194.56 www.google.dk >207.44.194.56 www.google.fi >207.44.194.56 www.google.fr >207.44.194.56 www.google.com.gr >207.44.194.56 www.google.com.hk >207.44.194.56 www.google.ie >207.44.194.56 www.google.co.il >207.44.194.56 www.google.it >207.44.194.56 www.google.co.kr >207.44.194.56 www.google.com.mx >207.44.194.56 www.google.nl >207.44.194.56 www.google.co.nz >207.44.194.56 www.google.pl >207.44.194.56 www.google.pt >207.44.194.56 www.google.com.ru >207.44.194.56 www.google.com.sg >207.44.194.56 www.google.co.th >207.44.194.56 www.google.com.tr >207.44.194.56 www.google.com.tw >207.44.194.56 go.google.com >207.44.194.56 google.at >207.44.194.56 google.be >207.44.194.56 google.de >207.44.194.56 google.dk >207.44.194.56 google.fi >207.44.194.56 google.fr >207.44.194.56 google.com.hk >207.44.194.56 google.ie >207.44.194.56 google.co.il >207.44.194.56 google.it >207.44.194.56 google.co.kr >207.44.194.56 google.com.mx >207.44.194.56 google.nl >207.44.194.56 google.co.nz >207.44.194.56 google.pl >207.44.194.56 google.com.ru >207.44.194.56 google.com.sg >207.44.194.56 www.hotbot.com >207.44.194.56 hotbot.com > >sample headers >2003/10/01-16:54:05.242697 161.130.204.xxx.2306 > 207.44.220.30.http: S 22870760:22870760(0) win 8192 (DF) >2003/10/01-16:54:05.281848 207.44.220.30.http > 161.130.204.xxx.2306: S 1904832103:1904832103(0) ack 22870761 win 5840 (DF) >2003/10/01-16:54:05.282723 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904832104 win 8760 (DF) >2003/10/01-16:54:05.283772 161.130.204.xxx.2306 > 207.44.220.30.http: P 22870761:22871132(371) ack 1904832104 win 8760 (DF) >2003/10/01-16:54:05.326527 207.44.220.30.http > 161.130.204.xxx.2306: . ack 22871132 win 6432 (DF) >2003/10/01-16:54:05.328614 207.44.220.30.http > 161.130.204.xxx.2306: . 1904832104:1904833564(1460) ack 22871132 win 6432 (DF) >2003/10/01-16:54:05.329041 207.44.220.30.http > 161.130.204.xxx.2306: . 1904833564:1904835024(1460) ack 22871132 win 6432 (DF) >2003/10/01-16:54:05.330076 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904835024 win 8760 (DF) >2003/10/01-16:54:05.372888 207.44.220.30.http > 161.130.204.xxx.2306: P 1904835024:1904836392(1368) ack 22871132 win 6432 (DF) >2003/10/01-16:54:05.446322 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871132:22871449(317) ack 1904836392 win 7392 (DF) >2003/10/01-16:54:05.487111 207.44.220.30.http > 161.130.204.xxx.2306: . 1904836392:1904837852(1460) ack 22871449 win 7504 (DF) >2003/10/01-16:54:05.487281 207.44.220.30.http > 161.130.204.xxx.2306: . 1904837852:1904839312(1460) ack 22871449 win 7504 (DF) >2003/10/01-16:54:05.487542 207.44.220.30.http > 161.130.204.xxx.2306: . 1904839312:1904840772(1460) ack 22871449 win 7504 (DF) >2003/10/01-16:54:05.488322 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904839312 win 8760 (DF) >2003/10/01-16:54:05.526875 207.44.220.30.http > 161.130.204.xxx.2306: P 1904840772:1904842232(1460) ack 22871449 win 7504 (DF) >2003/10/01-16:54:05.527184 207.44.220.30.http > 161.130.204.xxx.2306: . 1904842232:1904843692(1460) ack 22871449 win 7504 (DF) >2003/10/01-16:54:05.527370 207.44.220.30.http > 161.130.204.xxx.2306: . 1904843692:1904845152(1460) ack 22871449 win 7504 (DF) >2003/10/01-16:54:05.528025 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904842232 win 8760 (DF) >2003/10/01-16:54:05.528382 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845152 win 8760 (DF) >2003/10/01-16:54:05.571528 207.44.220.30.http > 161.130.204.xxx.2306: P 1904845152:1904845237(85) ack 22871449 win 7504 (DF) >2003/10/01-16:54:05.750111 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845237 win 8675 (DF) >2003/10/01-16:54:16.288182 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871449:22871911(462) ack 1904845237 win 8675 (DF) >2003/10/01-16:54:16.329439 207.44.220.30.http > 161.130.204.xxx.2306: . 1904845237:1904846697(1460) ack 22871911 win 8576 (DF) >2003/10/01-16:54:16.329929 207.44.220.30.http > 161.130.204.xxx.2306: . 1904846697:1904848157(1460) ack 22871911 win 8576 (DF) >2003/10/01-16:54:16.330970 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848157 win 8760 (DF) >2003/10/01-16:54:16.370436 207.44.220.30.http > 161.130.204.xxx.2306: P 1904848157:1904848507(350) ack 22871911 win 8576 (DF) >2003/10/01-16:54:16.548259 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848507 win 8410 (DF) >2003/10/01-16:54:31.778347 207.44.220.30.http > 161.130.204.xxx.2306: F 1904848507:1904848507(0) ack 22871911 win 8576 (DF) >2003/10/01-16:54:31.779090 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848508 win 8410 (DF) >2003/10/01-16:54:33.545827 161.130.204.xxx.2306 > 207.44.220.30.http: R 22871911:22871911(0) win 0 (DF) > > > > > > >-----Original Message----- >From: David Vincent [mailto:david.vincent@...htyoaks.com] >Sent: Wednesday, October 01, 2003 5:01 PM >To: full-disclosure@...ts.netsys.com >Subject: RE: [Full-Disclosure] Mystery DNS Changes > > >it was said.... > >------------------ >We have seen multiple instances where DHCP enabled workstations have had >their DNS reconfigured to point to two of the three addresses listed >below. Can anyone else confirm this? Incidents.org is reporting an >increase in port 53 traffic over the last two days. Are we looking at >the precursor to the next worm? >216.127.92.38 >69.57.146.14 >69.57.147.175 > >Are these entries coming in the DHCP packets or are they being >set *after* DHCP is complete? Are compromised systems acting >like DHCP servers stuffing their own DNS entries into >specially crafted replies? >Can you post traffic dumps? >------------------ > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > >
Powered by blists - more mailing lists