[Full-Disclosure] Mystery DNS Changes
tom_gordon at notes.k12.hi.us
tom_gordon at notes.k12.hi.us
Wed Oct 1 23:38:13 BST 2003
Is that non-disclosure notice on your sig supposed to be a joke?
Tom
Sent by: full-disclosure-admin at lists.netsys.com
To: "'Hansen, Kevin '" <kevin.hansen at thomson.com>,
"''full-disclosure at lists.netsys.com' '" <full-disclosure at lists.netsys.com>
cc:
Subject: RE: [Full-Disclosure] Mystery DNS Changes
-----Original Message-----
From: Hansen, Kevin
To: 'full-disclosure at lists.netsys.com'
Sent: 10/1/03 3:19 PM
Subject: [Full-Disclosure] Mystery DNS Changes
We have seen multiple instances where DHCP enabled workstations have had
their DNS reconfigured to point to two of the three addresses listed
below. Can anyone else confirm this? Incidents.org is reporting an
increase in port 53 traffic over the last two days. Are we looking at
the precursor to the next worm?
216.127.92.38
69.57.146.14
69.57.147.175
Are these entries coming in the DHCP packets or are they being
set *after* DHCP is complete? Are compromised systems acting
like DHCP servers stuffing their own DNS entries into
specially crafted replies?
Can you post traffic dumps?
Best Regards,
jpb
===
Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from your computer. Thank you. ThruPoint, Inc.
Full-Disclosure is hosted and sponsored by Secunia.