Full Disclosure mailing list archives
Re: [Snort-sigs] Re: Mystery DNS Changes
From: Paul Tinsley <pdt () jackhammer org>
Date: Thu, 02 Oct 2003 06:29:00 -0500
Someone brought to my attention that I neglected udp (thank you Adam), sorry about that I was in a hurry when I posted this, there is another just like the tcp one that says udp :) Both are being triggered by the clients affected as one would expect, so for full coverage, do both.
Paul Tinsley wrote:
Don't know if this will help anybody else but I have added this to all my sensors that see internal traffic headed for firewalls:var MAL_DNS [216.127.92.38/32,69.57.146.14/32,69.57.147.175/32]alert tcp any any <> $MAL_DNS 53 (msg:"Malicious DNS Traffic"; sid:900027; rev:1;)This along with a rule in my alerting software that alerts once per hour per machine that is triggering this alert seems to be working pretty well.Harris, Michael C. wrote:I have laid hands on a machine hit with the Qhosts-1 Trojan It drops a replacement hosts file in the $system%\help\ directory and also makes the registry changes described in the NAI posting http://vil.nai.com/vil/content/v_100719.htmDNS detail, hosts file details, captured headers all follow below the signature block sorry for the length of message and no I don't have a full captureMike ------------------------------------------------------------------- Michael C Harris System Security Analyst - GSEC University of Missouri Health Center harrismc () health missouri edu KC0PAH -------------------------------------------------------------------DNS changed to 69.57.146.14 69.57.147.175 hosts file included the following entries88.88.88.88 elite 207.44.194.56 www.google.akadns.net 207.44.194.56 www.google.com 207.44.194.56 google.com 207.44.194.56 www.altavista.com 207.44.194.56 altavista.com 207.44.194.56 search.yahoo.com 207.44.194.56 uk.search.yahoo.com 207.44.194.56 ca.search.yahoo.com 207.44.194.56 jp.search.yahoo.com 207.44.194.56 au.search.yahoo.com 207.44.194.56 de.search.yahoo.com 207.44.194.56 search.yahoo.co.jp 207.44.194.56 www.lycos.de 207.44.194.56 www.lycos.ca 207.44.194.56 www.lycos.jp 207.44.194.56 www.lycos.co.jp 207.44.194.56 alltheweb.com 207.44.194.56 web.ask.com 207.44.194.56 ask.com 207.44.194.56 www.ask.com 207.44.194.56 www.teoma.com 207.44.194.56 search.aol.com 207.44.194.56 www.looksmart.com 207.44.194.56 auto.search.msn.com 207.44.194.56 search.msn.com 207.44.194.56 ca.search.msn.com 207.44.194.56 fr.ca.search.msn.com 207.44.194.56 search.fr.msn.be 207.44.194.56 search.fr.msn.ch 207.44.194.56 search.latam.yupimsn.com 207.44.194.56 search.msn.at 207.44.194.56 search.msn.be 207.44.194.56 search.msn.ch 207.44.194.56 search.msn.co.in 207.44.194.56 search.msn.co.jp 207.44.194.56 search.msn.co.kr 207.44.194.56 search.msn.com.br 207.44.194.56 search.msn.com.hk 207.44.194.56 search.msn.com.my 207.44.194.56 search.msn.com.sg 207.44.194.56 search.msn.com.tw 207.44.194.56 search.msn.co.za 207.44.194.56 search.msn.de 207.44.194.56 search.msn.dk 207.44.194.56 search.msn.es 207.44.194.56 search.msn.fi 207.44.194.56 search.msn.fr 207.44.194.56 search.msn.it 207.44.194.56 search.msn.nl 207.44.194.56 search.msn.no 207.44.194.56 search.msn.se 207.44.194.56 search.ninemsn.com.au 207.44.194.56 search.t1msn.com.mx 207.44.194.56 search.xtramsn.co.nz 207.44.194.56 search.yupimsn.com 207.44.194.56 uk.search.msn.com 207.44.194.56 search.lycos.com 207.44.194.56 www.lycos.com 207.44.194.56 www.google.ca 207.44.194.56 google.ca 207.44.194.56 www.google.uk 207.44.194.56 www.google.co.uk 207.44.194.56 www.google.com.au 207.44.194.56 www.google.co.jp 207.44.194.56 www.google.jp 207.44.194.56 www.google.at 207.44.194.56 www.google.be 207.44.194.56 www.google.ch 207.44.194.56 www.google.de 207.44.194.56 www.google.se 207.44.194.56 www.google.dk 207.44.194.56 www.google.fi 207.44.194.56 www.google.fr 207.44.194.56 www.google.com.gr 207.44.194.56 www.google.com.hk 207.44.194.56 www.google.ie 207.44.194.56 www.google.co.il 207.44.194.56 www.google.it 207.44.194.56 www.google.co.kr 207.44.194.56 www.google.com.mx 207.44.194.56 www.google.nl 207.44.194.56 www.google.co.nz 207.44.194.56 www.google.pl 207.44.194.56 www.google.pt 207.44.194.56 www.google.com.ru 207.44.194.56 www.google.com.sg 207.44.194.56 www.google.co.th 207.44.194.56 www.google.com.tr 207.44.194.56 www.google.com.tw 207.44.194.56 go.google.com 207.44.194.56 google.at 207.44.194.56 google.be 207.44.194.56 google.de 207.44.194.56 google.dk 207.44.194.56 google.fi 207.44.194.56 google.fr 207.44.194.56 google.com.hk 207.44.194.56 google.ie 207.44.194.56 google.co.il 207.44.194.56 google.it 207.44.194.56 google.co.kr 207.44.194.56 google.com.mx 207.44.194.56 google.nl 207.44.194.56 google.co.nz 207.44.194.56 google.pl 207.44.194.56 google.com.ru 207.44.194.56 google.com.sg 207.44.194.56 www.hotbot.com 207.44.194.56 hotbot.com sample headers 2003/10/01-16:54:05.242697 161.130.204.xxx.2306 > 207.44.220.30.http: S 22870760:22870760(0) win 8192 (DF) 2003/10/01-16:54:05.281848 207.44.220.30.http > 161.130.204.xxx.2306: S 1904832103:1904832103(0) ack 22870761 win 5840 (DF) 2003/10/01-16:54:05.282723 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904832104 win 8760 (DF) 2003/10/01-16:54:05.283772 161.130.204.xxx.2306 > 207.44.220.30.http: P 22870761:22871132(371) ack 1904832104 win 8760 (DF) 2003/10/01-16:54:05.326527 207.44.220.30.http > 161.130.204.xxx.2306: . ack 22871132 win 6432 (DF) 2003/10/01-16:54:05.328614 207.44.220.30.http > 161.130.204.xxx.2306: . 1904832104:1904833564(1460) ack 22871132 win 6432 (DF) 2003/10/01-16:54:05.329041 207.44.220.30.http > 161.130.204.xxx.2306: . 1904833564:1904835024(1460) ack 22871132 win 6432 (DF) 2003/10/01-16:54:05.330076 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904835024 win 8760 (DF) 2003/10/01-16:54:05.372888 207.44.220.30.http > 161.130.204.xxx.2306: P 1904835024:1904836392(1368) ack 22871132 win 6432 (DF) 2003/10/01-16:54:05.446322 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871132:22871449(317) ack 1904836392 win 7392 (DF) 2003/10/01-16:54:05.487111 207.44.220.30.http > 161.130.204.xxx.2306: . 1904836392:1904837852(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.487281 207.44.220.30.http > 161.130.204.xxx.2306: . 1904837852:1904839312(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.487542 207.44.220.30.http > 161.130.204.xxx.2306: . 1904839312:1904840772(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.488322 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904839312 win 8760 (DF) 2003/10/01-16:54:05.526875 207.44.220.30.http > 161.130.204.xxx.2306: P 1904840772:1904842232(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.527184 207.44.220.30.http > 161.130.204.xxx.2306: . 1904842232:1904843692(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.527370 207.44.220.30.http > 161.130.204.xxx.2306: . 1904843692:1904845152(1460) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.528025 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904842232 win 8760 (DF) 2003/10/01-16:54:05.528382 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845152 win 8760 (DF) 2003/10/01-16:54:05.571528 207.44.220.30.http > 161.130.204.xxx.2306: P 1904845152:1904845237(85) ack 22871449 win 7504 (DF) 2003/10/01-16:54:05.750111 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904845237 win 8675 (DF) 2003/10/01-16:54:16.288182 161.130.204.xxx.2306 > 207.44.220.30.http: P 22871449:22871911(462) ack 1904845237 win 8675 (DF) 2003/10/01-16:54:16.329439 207.44.220.30.http > 161.130.204.xxx.2306: . 1904845237:1904846697(1460) ack 22871911 win 8576 (DF) 2003/10/01-16:54:16.329929 207.44.220.30.http > 161.130.204.xxx.2306: . 1904846697:1904848157(1460) ack 22871911 win 8576 (DF) 2003/10/01-16:54:16.330970 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848157 win 8760 (DF) 2003/10/01-16:54:16.370436 207.44.220.30.http > 161.130.204.xxx.2306: P 1904848157:1904848507(350) ack 22871911 win 8576 (DF) 2003/10/01-16:54:16.548259 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848507 win 8410 (DF) 2003/10/01-16:54:31.778347 207.44.220.30.http > 161.130.204.xxx.2306: F 1904848507:1904848507(0) ack 22871911 win 8576 (DF) 2003/10/01-16:54:31.779090 161.130.204.xxx.2306 > 207.44.220.30.http: . ack 1904848508 win 8410 (DF) 2003/10/01-16:54:33.545827 161.130.204.xxx.2306 > 207.44.220.30.http: R 22871911:22871911(0) win 0 (DF)-----Original Message----- From: David Vincent [mailto:david.vincent () mightyoaks com] Sent: Wednesday, October 01, 2003 5:01 PM To: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Mystery DNS Changes it was said.... ------------------We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 Are these entries coming in the DHCP packets or are they being set *after* DHCP is complete? Are compromised systems acting like DHCP servers stuffing their own DNS entries into specially crafted replies? Can you post traffic dumps? ------------------_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Mystery DNS Changes, (continued)
- Re: Mystery DNS Changes Mary Landesman (Oct 01)
- Message not available
- Re: Mystery DNS Changes Mike Tancsa (Oct 01)
- Re: Mystery DNS Changes Danny Pansters (Oct 01)
- Re: Mystery DNS Changes Joe Stewart (Oct 02)
- RE: Mystery DNS Changes Brown, James (Jim) (Oct 01)
- RE: Mystery DNS Changes Schmehl, Paul L (Oct 01)
- RE: Mystery DNS Changes David Vincent (Oct 01)
- RE: Mystery DNS Changes tom_gordon (Oct 01)
- RE: Mystery DNS Changes Harris, Michael C. (Oct 01)
- Re: Mystery DNS Changes Paul Tinsley (Oct 01)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 02)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 03)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: Mystery DNS Changes Paul Tinsley (Oct 01)
- RE: Mystery DNS Changes Kurt (Oct 02)
- Re: Mystery DNS Changes Joe Stewart (Oct 02)
- Re: Mystery DNS Changes Paul Tinsley (Oct 02)