[Full-Disclosure] Mystery DNS Changes
Mary Landesman
mlande at bellsouth.net
Wed Oct 1 22:12:48 BST 2003
This exploit has been dubbed QHosts-1 Trojan by NAI. Details can be found
at:
http://vil.nai.com/vil/content/v_100719.htm
Regards,
Mary Landesman
Antivirus About.com Guide
http://antivirus.about.com
----- Original Message -----
From: "Hansen, Kevin" <kevin.hansen at thomson.com>
To: <full-disclosure at lists.netsys.com>
Sent: Wednesday, October 01, 2003 3:19 PM
Subject: [Full-Disclosure] Mystery DNS Changes
We have seen multiple instances where DHCP enabled workstations have had
their DNS reconfigured to point to two of the three addresses listed below.
Can anyone else confirm this? Incidents.org is reporting an increase in port
53 traffic over the last two days. Are we looking at the precursor to the
next worm?
216.127.92.38
69.57.146.14
69.57.147.175
-KJH
Full-Disclosure is hosted and sponsored by Secunia.