[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F7B84E9.60500@jackhammer.org>
From: pdt at jackhammer.org (Paul Tinsley)
Subject: Mystery DNS Changes
Don't know if this will help anybody else but I have added this to all
my sensors that see internal traffic headed for firewalls:
var MAL_DNS [216.127.92.38/32,69.57.146.14/32,69.57.147.175/32]
alert tcp any any <> $MAL_DNS 53 (msg:"Malicious DNS Traffic";
sid:900027; rev:1;)
This along with a rule in my alerting software that alerts once per hour
per machine that is triggering this alert seems to be working pretty well.
Harris, Michael C. wrote:
>I have laid hands on a machine hit with the Qhosts-1 Trojan
>
>It drops a replacement hosts file in the $system%\help\ directory
>and also makes the registry changes described in the NAI posting
>http://vil.nai.com/vil/content/v_100719.htm
>
>DNS detail, hosts file details, captured headers all follow below the signature block
>sorry for the length of message and no I don't have a full capture
>
>Mike
>-------------------------------------------------------------------
>Michael C Harris
>System Security Analyst - GSEC
>University of Missouri Health Center
>harrismc@...lth.missouri.edu KC0PAH
>-------------------------------------------------------------------
>
>DNS changed to
>69.57.146.14
>69.57.147.175
>
>hosts file included the following entries
>
>88.88.88.88 elite
>207.44.194.56 www.google.akadns.net
>207.44.194.56 www.google.com
>207.44.194.56 google.com
>207.44.194.56 www.altavista.com
>207.44.194.56 altavista.com
>207.44.194.56 search.yahoo.com
>207.44.194.56 uk.search.yahoo.com
>207.44.194.56 ca.search.yahoo.com
>207.44.194.56 jp.search.yahoo.com
>207.44.194.56 au.search.yahoo.com
>207.44.194.56 de.search.yahoo.com
>207.44.194.56 search.yahoo.co.jp
>207.44.194.56 www.lycos.de
>207.44.194.56 www.lycos.ca
>207.44.194.56 www.lycos.jp
>207.44.194.56 www.lycos.co.jp
>207.44.194.56 alltheweb.com
>207.44.194.56 web.ask.com
>207.44.194.56 ask.com
>207.44.194.56 www.ask.com
>207.44.194.56 www.teoma.com
>207.44.194.56 search.aol.com
>207.44.194.56 www.looksmart.com
>207.44.194.56 auto.search.msn.com
>207.44.194.56 search.msn.com
>207.44.194.56 ca.search.msn.com
>207.44.194.56 fr.ca.search.msn.com
>207.44.194.56 search.fr.msn.be
>207.44.194.56 search.fr.msn.ch
>207.44.194.56 search.latam.yupimsn.com
>207.44.194.56 search.msn.at
>207.44.194.56 search.msn.be
>207.44.194.56 search.msn.ch
>207.44.194.56 search.msn.co.in
>207.44.194.56 search.msn.co.jp
>207.44.194.56 search.msn.co.kr
>207.44.194.56 search.msn.com.br
>207.44.194.56 search.msn.com.hk
>207.44.194.56 search.msn.com.my
>207.44.194.56 search.msn.com.sg
>207.44.194.56 search.msn.com.tw
>207.44.194.56 search.msn.co.za
>207.44.194.56 search.msn.de
>207.44.194.56 search.msn.dk
>207.44.194.56 search.msn.es
>207.44.194.56 search.msn.fi
>207.44.194.56 search.msn.fr
>207.44.194.56 search.msn.it
>207.44.194.56 search.msn.nl
>207.44.194.56 search.msn.no
>207.44.194.56 search.msn.se
>207.44.194.56 search.ninemsn.com.au
>207.44.194.56 search.t1msn.com.mx
>207.44.194.56 search.xtramsn.co.nz
>207.44.194.56 search.yupimsn.com
>207.44.194.56 uk.search.msn.com
>207.44.194.56 search.lycos.com
>207.44.194.56 www.lycos.com
>207.44.194.56 www.google.ca
>207.44.194.56 google.ca
>207.44.194.56 www.google.uk
>207.44.194.56 www.google.co.uk
>207.44.194.56 www.google.com.au
>207.44.194.56 www.google.co.jp
>207.44.194.56 www.google.jp
>207.44.194.56 www.google.at
>207.44.194.56 www.google.be
>207.44.194.56 www.google.ch
>207.44.194.56 www.google.de
>207.44.194.56 www.google.se
>207.44.194.56 www.google.dk
>207.44.194.56 www.google.fi
>207.44.194.56 www.google.fr
>207.44.194.56 www.google.com.gr
>207.44.194.56 www.google.com.hk
>207.44.194.56 www.google.ie
>207.44.194.56 www.google.co.il
>207.44.194.56 www.google.it
>207.44.194.56 www.google.co.kr
>207.44.194.56 www.google.com.mx
>207.44.194.56 www.google.nl
>207.44.194.56 www.google.co.nz
>207.44.194.56 www.google.pl
>207.44.194.56 www.google.pt
>207.44.194.56 www.google.com.ru
>207.44.194.56 www.google.com.sg
>207.44.194.56 www.google.co.th
>207.44.194.56 www.google.com.tr
>207.44.194.56 www.google.com.tw
>207.44.194.56 go.google.com
>207.44.194.56 google.at
>207.44.194.56 google.be
>207.44.194.56 google.de
>207.44.194.56 google.dk
>207.44.194.56 google.fi
>207.44.194.56 google.fr
>207.44.194.56 google.com.hk
>207.44.194.56 google.ie
>207.44.194.56 google.co.il
>207.44.194.56 google.it
>207.44.194.56 google.co.kr
>207.44.194.56 google.com.mx
>207.44.194.56 google.nl
>207.44.194.56 google.co.nz
>207.44.194.56 google.pl
>207.44.194.56 google.com.ru
>207.44.194.56 google.com.sg
>207.44.194.56 www.hotbot.com
>207.44.194.56 hotbot.com
>
>sample headers
>2003/10/01-16:54:05.242697 161.130.204.xxx.2306 > 207.44.220.30.http: S 22870760:22870760(0) win 8192 (DF)
>2003/10/01-16:54:05.281848 207.44.220.30.http > 161.130.204.xxx.2306: S 1904832103:1904832103(0) ack 22870761 win 5840 (DF)
>2003/10/01-16:54:05.282723 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904832104 win 8760 (DF)
>2003/10/01-16:54:05.283772 161.130.204.xxx.2306 > 207.44.220.30.http: P 22870761:22871132(371) ack 1904832104 win 8760 (DF)
>2003/10/01-16:54:05.326527 207.44.220.30.http > 161.130.204.xxx.2306: . ack 22871132 win 6432 (DF)
>2003/10/01-16:54:05.328614 207.44.220.30.http > 161.130.204.xxx.2306: . 1904832104:1904833564(1460) ack 22871132 win 6432 (DF)
>2003/10/01-16:54:05.329041 207.44.220.30.http > 161.130.204.xxx.2306: . 1904833564:1904835024(1460) ack 22871132 win 6432 (DF)
>2003/10/01-16:54:05.330076 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904835024 win 8760 (DF)
>2003/10/01-16:54:05.372888 207.44.220.30.http > 161.130.204.xxx.2306: P 1904835024:1904836392(1368) ack 22871132 win 6432 (DF)
>2003/10/01-16:54:05.446322 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871132:22871449(317) ack 1904836392 win 7392 (DF)
>2003/10/01-16:54:05.487111 207.44.220.30.http > 161.130.204.xxx.2306: . 1904836392:1904837852(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.487281 207.44.220.30.http > 161.130.204.xxx.2306: . 1904837852:1904839312(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.487542 207.44.220.30.http > 161.130.204.xxx.2306: . 1904839312:1904840772(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.488322 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904839312 win 8760 (DF)
>2003/10/01-16:54:05.526875 207.44.220.30.http > 161.130.204.xxx.2306: P 1904840772:1904842232(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.527184 207.44.220.30.http > 161.130.204.xxx.2306: . 1904842232:1904843692(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.527370 207.44.220.30.http > 161.130.204.xxx.2306: . 1904843692:1904845152(1460) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.528025 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904842232 win 8760 (DF)
>2003/10/01-16:54:05.528382 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845152 win 8760 (DF)
>2003/10/01-16:54:05.571528 207.44.220.30.http > 161.130.204.xxx.2306: P 1904845152:1904845237(85) ack 22871449 win 7504 (DF)
>2003/10/01-16:54:05.750111 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845237 win 8675 (DF)
>2003/10/01-16:54:16.288182 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871449:22871911(462) ack 1904845237 win 8675 (DF)
>2003/10/01-16:54:16.329439 207.44.220.30.http > 161.130.204.xxx.2306: . 1904845237:1904846697(1460) ack 22871911 win 8576 (DF)
>2003/10/01-16:54:16.329929 207.44.220.30.http > 161.130.204.xxx.2306: . 1904846697:1904848157(1460) ack 22871911 win 8576 (DF)
>2003/10/01-16:54:16.330970 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848157 win 8760 (DF)
>2003/10/01-16:54:16.370436 207.44.220.30.http > 161.130.204.xxx.2306: P 1904848157:1904848507(350) ack 22871911 win 8576 (DF)
>2003/10/01-16:54:16.548259 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848507 win 8410 (DF)
>2003/10/01-16:54:31.778347 207.44.220.30.http > 161.130.204.xxx.2306: F 1904848507:1904848507(0) ack 22871911 win 8576 (DF)
>2003/10/01-16:54:31.779090 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848508 win 8410 (DF)
>2003/10/01-16:54:33.545827 161.130.204.xxx.2306 > 207.44.220.30.http: R 22871911:22871911(0) win 0 (DF)
>
>
>
>
>
>
>-----Original Message-----
>From: David Vincent [mailto:david.vincent@...htyoaks.com]
>Sent: Wednesday, October 01, 2003 5:01 PM
>To: full-disclosure@...ts.netsys.com
>Subject: RE: [Full-Disclosure] Mystery DNS Changes
>
>
>it was said....
>
>------------------
>We have seen multiple instances where DHCP enabled workstations have had
>their DNS reconfigured to point to two of the three addresses listed
>below. Can anyone else confirm this? Incidents.org is reporting an
>increase in port 53 traffic over the last two days. Are we looking at
>the precursor to the next worm?
>216.127.92.38
>69.57.146.14
>69.57.147.175
>
>Are these entries coming in the DHCP packets or are they being
>set *after* DHCP is complete? Are compromised systems acting
>like DHCP servers stuffing their own DNS entries into
>specially crafted replies?
>Can you post traffic dumps?
>------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
Powered by blists - more mailing lists