[Full-Disclosure] Mystery DNS Changes
Schmehl, Paul L
pauls at utdallas.edu
Wed Oct 1 22:25:02 BST 2003
-----Original Message-----
From: Hansen, Kevin [mailto:kevin.hansen at thomson.com]
Sent: Wednesday, October 01, 2003 2:19 PM
To: 'full-disclosure at lists.netsys.com'
Subject: [Full-Disclosure] Mystery DNS Changes
We have seen multiple instances where DHCP enabled workstations
have had their DNS reconfigured to point to two of the three addresses
listed below. Can anyone else confirm this? Incidents.org is reporting
an increase in port 53 traffic over the last two days. Are we looking at
the precursor to the next worm?
216.127.92.38
69.57.146.14
69.57.147.175
According to McAfee:
This is the QHosts-1 trojan
http://vil.nai.com/vil/content/v_100719.htm
<http://vil.nai.com/vil/content/v_100719.htm>
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031001/343265f5/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.