Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-10-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DNS abnormalitities

Published: 2003-10-01
Last Updated: 2003-10-02 13:10:38 UTC
by Handlers (Version: 1)
0 comment(s)

**** UPDATE ****
The odd DNS issues are likely caused by the QHosts-1 Trojan. For details see:

http://us.mcafee.com/virusInfo/default.asp?id=description&;virus_k=100719

http://vil.nai.com/vil/content/v_100719.htm
********
As initially posted to the SANS intrustions list, some sites observe an increase
in abnormal DNS queries. For the original post, see
http://cert.uni-stuttgart.de/archive/intrusions/2003/10/msg00003.html

A likely related issue has been reported to NT Bugtraq:
http://www.ntbugtraq.com/default.asp?pid=36sid=12A2=ind0310&L=ntbugtraq&D=0&F=P&P=1048

Here, a user reported that "Various Windows 2000 professional workstations are changing the DNS servers they are configured to use". The new DNS server, 216.127.92.38 and 69.57.146.14, is hosted by 'Everyone's Internet Inc.', (ev1.com).

This user did report suspicous changes to the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\windows]

"r0x"="your s0x"

"NameServer"="69.57.146.14"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]

"T2"=dword:3e057410

"LeaseTerminatesTime"=dword:3e067130

"LeaseObtainedTime"=dword:3dfe8830

"T1"=dword:3e027cb0

"NameServer"="69.57.146.14"
for more details, see this NT Bugtraq post:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=ntbugtraq&D=0&F=P&P=1879
------

If you would like to share any related logs, please send them to isc_AT_sans.org
Keywords:
0 comment(s)
Diary Archives