Security Incidents mailing list archives
RE: Bogus DNS traffic
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 22 Oct 2003 14:50:24 -0700
I don't think this is it. If infected clients were getting repointed to unpopulated addresses on my network, I should be seeing a fair bit of activity from each infected client to the specific addresses set by the trojan. That's not what I'm seeing. I'm seeing a very small amount of traffic from randomly scattered hosts to randomly scattered addresses. David Gillett
-----Original Message----- From: Mike Anderson [mailto:secure () spoofedpackets net] Sent: October 22, 2003 13:34 To: gillettdavid () fhda edu; incidents () securityfocus com Subject: RE: Bogus DNS traffic Dave, You might be seeing an increase in DNS traffic as results from this trojan. QHosts Trojan Horse added October 2 The CERT/CC has received reports of a new Trojan Horse program affecting Microsoft Windows systems. The QHosts or Qhosts-1 Trojan Horse has been reported to alter domain name service (DNS) settings on Windows systems and redirect users from legitimate web sites to those specified by the Trojan Horse program. The CERT/CC is tracking this activity as CERT#27882 and is interested in receiving reports thereof. Relevant artifacts or activity can be sent to cert () cert org with "CERT#27882" in the subject line. The CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date. I got this from cert's website. You might want to check that out. Mike Anderson Systems Engineer -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Wednesday, October 22, 2003 3:39 PM To: incidents () securityfocus com Subject: Bogus DNS traffic I'm seeing random UDP packets to port 53 of random internal IP addresses. The source IP addresses are external, all over the map, although the one example I've gotten a good capture of bore the source MAC address of an internal server. (Whatever is spoofing the IP address *could* be spoofing the MAC address, but that would still indicate an origin inside our network....) Does anyone recognize this? David Gillett -------------------------------------------------------------- ---------- --- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_incidents_031015 -------------------------------------------------------------- ---------- ----
--------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_incidents_031015 ----------------------------------------------------------------------------
Current thread:
- Need help to find web server attacks signature Maxime Ducharme (Oct 22)
- Re: Need help to find web server attacks signature Muhammad Naseer (Oct 22)
- Re: Need help to find web server attacks signature Fatih Özavcı (Oct 23)
- Bogus DNS traffic David Gillett (Oct 22)
- RE: Bogus DNS traffic Mike Anderson (Oct 23)
- RE: Bogus DNS traffic David Gillett (Oct 23)
- Re: Bogus DNS traffic Brian Collins (Oct 23)
- Re: Bogus DNS traffic Robert Lowe (Oct 23)
- Re: [despammed] Bogus DNS traffic whiplash (Oct 24)
- RE: Bogus DNS traffic Mike Anderson (Oct 23)
- RE: Need help to find web server attacks signature Mike Brownbill (Oct 23)
- Re: Need help to find web server attacks signature Tri Huynh (Oct 24)
- Re: Need help to find web server attacks signature Muhammad Naseer (Oct 22)