<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Full-Disclosure] Mystery DNS Changes</TITLE>
</HEAD>
<BODY>
<BR>
<BR>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Hansen, Kevin</FONT>
<BR><FONT SIZE=2>To: 'full-disclosure@lists.netsys.com'</FONT>
<BR><FONT SIZE=2>Sent: 10/1/03 3:19 PM</FONT>
<BR><FONT SIZE=2>Subject: [Full-Disclosure] Mystery DNS Changes</FONT>
</P>
<P><FONT SIZE=2>We have seen multiple instances where DHCP enabled workstations have had</FONT>
<BR><FONT SIZE=2>their DNS reconfigured to point to two of the three addresses listed</FONT>
<BR><FONT SIZE=2>below. Can anyone else confirm this? Incidents.org is reporting an</FONT>
<BR><FONT SIZE=2>increase in port 53 traffic over the last two days. Are we looking at</FONT>
<BR><FONT SIZE=2>the precursor to the next worm?</FONT>
</P>
<P><FONT SIZE=2>216.127.92.38 </FONT>
<BR><FONT SIZE=2>69.57.146.14 </FONT>
<BR><FONT SIZE=2>69.57.147.175 </FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2>Are these entries coming in the DHCP packets or are they being</FONT>
<BR><FONT SIZE=2>set *after* DHCP is complete? Are compromised systems acting</FONT>
<BR><FONT SIZE=2>like DHCP servers stuffing their own DNS entries into</FONT>
<BR><FONT SIZE=2>specially crafted replies?</FONT>
</P>
<P><FONT SIZE=2>Can you post traffic dumps?</FONT>
</P>
<P><FONT SIZE=2>Best Regards,</FONT>
<BR><FONT SIZE=2>jpb</FONT>
<BR><FONT SIZE=2>===</FONT>
</P>
<BR>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ThruPoint, Inc.</FONT></P>
</BODY>
</HTML>