Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] Re: Mystery DNS Changes

From: Paul Tinsley <pdt () jackhammer org>
Date: Thu, 02 Oct 2003 06:29:00 -0500
Someone brought to my attention that I neglected udp (thank you Adam), sorry about that I was in a hurry when I posted this, there is another just like the tcp one that says udp :) Both are being triggered by the clients affected as one would expect, so for full coverage, do both. 

Paul Tinsley wrote:
Don't know if this will help anybody else but I have added this to all my sensors that see internal traffic headed for firewalls: 

var MAL_DNS [216.127.92.38/32,69.57.146.14/32,69.57.147.175/32]
alert tcp any any <> $MAL_DNS 53 (msg:"Malicious DNS Traffic"; sid:900027; rev:1;)
This along with a rule in my alerting software that alerts once per hour per machine that is triggering this alert seems to be working pretty well. 

Harris, Michael C. wrote:


I have laid hands on a machine hit with the Qhosts-1 Trojan
It drops a replacement hosts file in the $system%\help\ directory
and also makes the registry changes described in the NAI posting
http://vil.nai.com/vil/content/v_100719.htm
DNS detail, hosts file details, captured headers all follow below the signature block sorry for the length of message and no I don't have a full capture 

Mike -------------------------------------------------------------------
Michael C Harris
System Security Analyst - GSEC
University of Missouri Health Center
harrismc () health missouri edu  KC0PAH
-------------------------------------------------------------------
DNS changed to 69.57.146.14 69.57.147.175 hosts file included the following entries
88.88.88.88 elite 207.44.194.56 www.google.akadns.net 207.44.194.56 www.google.com 207.44.194.56 google.com 207.44.194.56 www.altavista.com 207.44.194.56 altavista.com 207.44.194.56 search.yahoo.com 207.44.194.56 uk.search.yahoo.com 207.44.194.56 ca.search.yahoo.com 207.44.194.56 jp.search.yahoo.com 207.44.194.56 au.search.yahoo.com 207.44.194.56 de.search.yahoo.com 207.44.194.56 search.yahoo.co.jp 207.44.194.56 www.lycos.de 207.44.194.56 www.lycos.ca 207.44.194.56 www.lycos.jp 207.44.194.56 www.lycos.co.jp 207.44.194.56 alltheweb.com 207.44.194.56 web.ask.com 207.44.194.56 ask.com 207.44.194.56 www.ask.com 207.44.194.56 www.teoma.com 207.44.194.56 search.aol.com 207.44.194.56 www.looksmart.com 207.44.194.56 auto.search.msn.com 207.44.194.56 search.msn.com 207.44.194.56 ca.search.msn.com 207.44.194.56 fr.ca.search.msn.com 207.44.194.56 search.fr.msn.be 207.44.194.56 search.fr.msn.ch 207.44.194.56 search.latam.yupimsn.com 207.44.194.56 search.msn.at 207.44.194.56 search.msn.be 207.44.194.56 search.msn.ch 207.44.194.56 search.msn.co.in 207.44.194.56 search.msn.co.jp 207.44.194.56 search.msn.co.kr 207.44.194.56 search.msn.com.br 207.44.194.56 search.msn.com.hk 207.44.194.56 search.msn.com.my 207.44.194.56 search.msn.com.sg 207.44.194.56 search.msn.com.tw 207.44.194.56 search.msn.co.za 207.44.194.56 search.msn.de 207.44.194.56 search.msn.dk 207.44.194.56 search.msn.es 207.44.194.56 search.msn.fi 207.44.194.56 search.msn.fr 207.44.194.56 search.msn.it 207.44.194.56 search.msn.nl 207.44.194.56 search.msn.no 207.44.194.56 search.msn.se 207.44.194.56 search.ninemsn.com.au 207.44.194.56 search.t1msn.com.mx 207.44.194.56 search.xtramsn.co.nz 207.44.194.56 search.yupimsn.com 207.44.194.56 uk.search.msn.com 207.44.194.56 search.lycos.com 207.44.194.56 www.lycos.com 207.44.194.56 www.google.ca 207.44.194.56 google.ca 207.44.194.56 www.google.uk 207.44.194.56 www.google.co.uk 207.44.194.56 www.google.com.au 207.44.194.56 www.google.co.jp 207.44.194.56 www.google.jp 207.44.194.56 www.google.at 207.44.194.56 www.google.be 207.44.194.56 www.google.ch 207.44.194.56 www.google.de 207.44.194.56 www.google.se 207.44.194.56 www.google.dk 207.44.194.56 www.google.fi 207.44.194.56 www.google.fr 207.44.194.56 www.google.com.gr 207.44.194.56 www.google.com.hk 207.44.194.56 www.google.ie 207.44.194.56 www.google.co.il 207.44.194.56 www.google.it 207.44.194.56 www.google.co.kr 207.44.194.56 www.google.com.mx 207.44.194.56 www.google.nl 207.44.194.56 www.google.co.nz 207.44.194.56 www.google.pl 207.44.194.56 www.google.pt 207.44.194.56 www.google.com.ru 207.44.194.56 www.google.com.sg 207.44.194.56 www.google.co.th 207.44.194.56 www.google.com.tr 207.44.194.56 www.google.com.tw 207.44.194.56 go.google.com 207.44.194.56 google.at 207.44.194.56 google.be 207.44.194.56 google.de 207.44.194.56 google.dk 207.44.194.56 google.fi 207.44.194.56 google.fr 207.44.194.56 google.com.hk 207.44.194.56 google.ie 207.44.194.56 google.co.il 207.44.194.56 google.it 207.44.194.56 google.co.kr 207.44.194.56 google.com.mx 207.44.194.56 google.nl 207.44.194.56 google.co.nz 207.44.194.56 google.pl 207.44.194.56 google.com.ru 207.44.194.56 google.com.sg 207.44.194.56 www.hotbot.com 207.44.194.56 hotbot.com sample headers 2003/10/01-16:54:05.242697 161.130.204.xxx.2306 > 207.44.220.30.http: S 22870760:22870760(0) win 8192 (DF) 2003/10/01-16:54:05.281848 207.44.220.30.http > 161.130.204.xxx.2306: S 1904832103:1904832103(0) ack 22870761 win 5840 (DF) 2003/10/01-16:54:05.282723 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904832104 win 8760 (DF) 2003/10/01-16:54:05.283772 161.130.204.xxx.2306 > 207.44.220.30.http: P 22870761:22871132(371) ack 1904832104 win 8760 (DF) 2003/10/01-16:54:05.326527 207.44.220.30.http > 161.130.204.xxx.2306: . ack 22871132 win 6432 (DF) 2003/10/01-16:54:05.328614 207.44.220.30.http > 161.130.204.xxx.2306: . 1904832104:1904833564(1460) ack 22871132 win 6432 (DF) 2003/10/01-16:54:05.329041 207.44.220.30.http > 161.130.204.xxx.2306: . 1904833564:1904835024(1460) ack 22871132 win 6432 (DF) 2003/10/01-16:54:05.330076 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904835024 win 8760 (DF) 2003/10/01-16:54:05.372888 207.44.220.30.http > 161.130.204.xxx.2306: P 1904835024:1904836392(1368) ack 22871132 win 6432 (DF) 2003/10/01-16:54:05.446322 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871132:22871449(317) ack 1904836392 win 7392 (DF) 2003/10/01-16:54:05.487111 207.44.220.30.http > 161.130.204.xxx.2306: . 1904836392:1904837852(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.487281 207.44.220.30.http > 161.130.204.xxx.2306: . 1904837852:1904839312(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.487542 207.44.220.30.http > 161.130.204.xxx.2306: . 1904839312:1904840772(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.488322 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904839312 win 8760 (DF) 2003/10/01-16:54:05.526875 207.44.220.30.http > 161.130.204.xxx.2306: P 1904840772:1904842232(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.527184 207.44.220.30.http > 161.130.204.xxx.2306: . 1904842232:1904843692(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.527370 207.44.220.30.http > 161.130.204.xxx.2306: . 1904843692:1904845152(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.528025 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904842232 win 8760 (DF) 2003/10/01-16:54:05.528382 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845152 win 8760 (DF) 2003/10/01-16:54:05.571528 207.44.220.30.http > 161.130.204.xxx.2306: P 1904845152:1904845237(85) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.750111 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845237 win 8675 (DF) 2003/10/01-16:54:16.288182 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871449:22871911(462) ack 1904845237 win 8675 (DF) 2003/10/01-16:54:16.329439 207.44.220.30.http > 161.130.204.xxx.2306: . 1904845237:1904846697(1460) ack 22871911 win 8576 (DF) 2003/10/01-16:54:16.329929 207.44.220.30.http > 161.130.204.xxx.2306: . 1904846697:1904848157(1460) ack 22871911 win 8576 (DF) 2003/10/01-16:54:16.330970 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848157 win 8760 (DF) 2003/10/01-16:54:16.370436 207.44.220.30.http > 161.130.204.xxx.2306: P 1904848157:1904848507(350) ack 22871911 win 8576 (DF) 2003/10/01-16:54:16.548259 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848507 win 8410 (DF) 2003/10/01-16:54:31.778347 207.44.220.30.http > 161.130.204.xxx.2306: F 1904848507:1904848507(0) ack 22871911 win 8576 (DF) 2003/10/01-16:54:31.779090 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848508 win 8410 (DF) 2003/10/01-16:54:33.545827 161.130.204.xxx.2306 > 207.44.220.30.http: R 22871911:22871911(0) win 0 (DF) 






-----Original Message-----
From: David Vincent [mailto:david.vincent () mightyoaks com]
Sent: Wednesday, October 01, 2003 5:01 PM
To: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Mystery DNS Changes


it was said....

------------------
We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 Are these entries coming in the DHCP packets or are they being set *after* DHCP is complete? Are compromised systems acting like DHCP servers stuffing their own DNS entries into specially crafted replies? Can you post traffic dumps? ------------------ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: