Full Disclosure: Re: Mystery DNS Changes

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Mystery DNS Changes

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Thu, 02 Oct 2003 09:14:14 +1200

On Thu, 2003-10-02 at 08:04, Gary Flynn wrote:

Hansen, Kevin wrote:

We have seen multiple instances where DHCP enabled workstations have had
their DNS reconfigured to point to two of the three addresses listed below.
Can anyone else confirm this? Incidents.org is reporting an increase in port
53 traffic over the last two days. Are we looking at the precursor to the
next worm?


This is currently being discussed on NTBUGTRAQ too.


This is the QHosts-1 trojan
http://vil.nai.com/vil/content/v_100719.htm


This information was posted to the Avien list about an hour ago by
Craig Schmugar, McAfee AVERT.

<advertisement> :)
If you want fast access to information on trojans and viruses Avien is
the place to be.  Yes is costs but the membership fees are modest and
extremely good value.

www.avien.org
</advertisement>
-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

Mystery DNS Changes Hansen, Kevin (Oct 01)
- Re: Mystery DNS Changes Gary Flynn (Oct 01)
  - Re: Mystery DNS Changes Brian Eckman (Oct 01)
  - Re: Mystery DNS Changes Russell Fulton (Oct 01)
- Re: Mystery DNS Changes Mary Landesman (Oct 01)
- Message not available
  - Re: Mystery DNS Changes Mike Tancsa (Oct 01)
- Re: Mystery DNS Changes Danny Pansters (Oct 01)
- Re: Mystery DNS Changes Joe Stewart (Oct 02)
- <Possible follow-ups>
- RE: Mystery DNS Changes Brown, James (Jim) (Oct 01)