Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

RE: Mystery DNS Changes
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 1 Oct 2003 16:25:02 -0500
        -----Original Message-----
        From: Hansen, Kevin [mailto:kevin.hansen () thomson com] 
        Sent: Wednesday, October 01, 2003 2:19 PM
        To: 'full-disclosure () lists netsys com'
        Subject: [Full-disclosure] Mystery DNS Changes
        
        

        We have seen multiple instances where DHCP enabled workstations
have had their DNS reconfigured to point to two of the three addresses
listed below. Can anyone else confirm this? Incidents.org is reporting
an increase in port 53 traffic over the last two days. Are we looking at
the precursor to the next worm?

        216.127.92.38 
        69.57.146.14 
        69.57.147.175  

         

        According to McAfee:

        This is the QHosts-1 trojan
http://vil.nai.com/vil/content/v_100719.htm
<http://vil.nai.com/vil/content/v_100719.htm> 

         

        Paul Schmehl (pauls () utdallas edu)
        Adjunct Information Security Officer
        The University of Texas at Dallas
        AVIEN Founding Member
        http://www.utdallas.edu/~pauls/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]