Threat Level: green Handler on Duty: Russ McRee

SANS ISC: * New DNS cache poisoning server; DNS Poisoning stats; Bluemountain; Win2k3 SP1; Details; port 1025; MS05-002 problem SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
* New DNS cache poisoning server; DNS Poisoning stats; Bluemountain; Win2k3 SP1; Details; port 1025; MS05-002 problem

New DNS cache poisoning server

Looks like we got us another DNS server trying to poison DNS caches:

If you run a larger network, we recommend to block all traffic to this host.

A quick check with 'dig' shows that this server advertises itself as authoritative for '.com', and returns the same IP for all queries to .com domains.

For the particular report we have, the original domain that caused a querry against this DNS server was (Thanks Adrien for figuring this out!!)

Once your cache is poisoned. All requests to .com hosts are redirected either to or You will see a minimal search enigne like page and an advertisement for _http_:// (DO NOT CLICK),

dig @

; <<>> DiG 9.2.4 <<>> @
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59667
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

; IN A

;; ANSWER SECTION: 99999 IN A 99999 IN A

com. 99999 IN NS


;; Query time: 236 msec
;; WHEN: Thu Mar 31 16:01:07 2005
;; MSG SIZE rcvd: 105

DNS Poisoning Stats

The DNS spoofing attack on March 3rd redirected affected users to a set of
compromissed web servers. Some of the administrators of these servers agreed
to share logs collected during the attack (THANKS!). Based on these logs, we
collected the following statistics:

o 1,304 domains poisoned (pulled from the referer entries in the HTTPD logs)

o 7,973,953 HTTP get attempts from 966 unique IP addresses.

o 75,529 incoming email messages from 1,863 different mailservers.

o 7,455 failed FTP logins from 635 unique IP addresses (95 unique user accounts).

o 7,692 attempted IMAP logins (805 unique users, 411 unique IP addresses).

o 2,027 attempted logins to 82 different webmail (HTTP) servers.

BlueMounting Greeting Cards

We received multiple reports about "BlueMountain Greeting Cards" being used to spread malware. The links read like they link to the web site, but in fact they link to other sites not affiliated with The email headers are fake and not sent via

Sites the e-mails link to (looks down now, but note that these sites may distribute malware. DO NOT CLICK).



(thank to Brian for additional versions of the URL).

Typical content (thanks Chris!):

To: username
Subject: Username, You've received a postcard!

To view your eCard, choose from the options below.
Click on the following link.


Enter the following eCard Number, 117890283650, on our Card Pick Up Window at

If you have any comments or questions, please visit

Thanks for using

Windows 2003 SP1 released

was released today. One of the new features is a "Security Configuration Wizard". If you had a chance to use it, let us know how you liked it.

Service Packs usually include all past patches, and a set of new features. You should carefully test service packs before deploying them in a production environment. details

Ryan Barnett setup a cgi script on his web server to collect more information from exploit attempts. This is achieved using the following httpd.conf directive:

ScriptAliasMatch /awstats\.pl /var/www/htdocs/cgi-bin/script$1

the 'script' will parse any commands passed to it, and provide plausible but fake responses. Shortly after Ryan's script detected the standard '' attempt
( /cgi-bin/|echo%20;echo%20;id;echo%20;echo|), he detected a followup exploit from the same IP address:

Request: a.b.c.d - - [31/Mar/2005:06:59:30 --0500] "GET /cgi-bin/
r=|echo;echo+DTORS_START;id;echo+DTORS_STOP;echo| HTTP/1.0" 403 743
Handler: cgi-script
GET /cgi-bin/|echo;echo+DTORS_START;
id;echo+DTORS_STOP;echo| HTTP/1.0
mod_security-message: Access denied with code 403. Pattern match "!^[-a-zA-z0-9\._/]+$" at
mod_security-action: 403

HTTP/1.0 403 Forbidden

A google search for the string 'DTORS_START' and 'DTORS_STOP' leads to an awstats exploit package on

Nice detect Ryan!

Port 1025

Orlando detected a large increase in port 1025 scans of his network. The scans subsided after a day, but are noteworthy. If you see any temporary increases in TCP SYN scans to port 1025, please try to setup a little netcat honeypot. Our best guess so far is that these scans target an RPC service.

MS05-002 Problem

The FrSIRT reports that Windows 9x and ME users report problems with patch MS05-002. After installing this patch, MSIE will no longer start. For details, see this discussion on

If you do still use a Windows version prior to Windows XP/2000, you should upgrade to a newer version of Windows.


Johannes Ullrich, SANS Institute (jullrich\at/

3913 Posts
ISC Handler
Mar 31st 2005

Sign Up for Free or Log In to start participating in the conversation!