Full Disclosure mailing list archives
Re: [Snort-sigs] Re: Mystery DNS Changes
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 03 Oct 2003 21:43:18 -0500
--On Friday, October 03, 2003 20:10:08 -0500 Paul Tinsley <pdt () jackhammer org> wrote:
We have three boxes in the student residences that are attempting to resolve using those addresses. I don't think there's a new infection vector. I think these are boxes that went to the Fortunecity site before it was taken down and so got infected.Yep it would, I threw those up real quick just to try and get some visibility as to how much we were being affected by it. Didn't put much thought into it. Just out of curiosity how many of those out there who are using this or other similar rules are still seeing traffic to those servers? I have seen a steady flow of them even though the servers that were distributing the malicious code seem to be down. I have written a script that gives me (from proxy logs) the union of all URLS visited by those "infected" and I can't seem to track down a common url that looks to be an infection vector. Has anybody seen a mail based version of this?
They can't be resolving hosts now, so it's amazing to me that they haven't complained about it, but there you go. Some students can go for months without reporting a problem. ???
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Mystery DNS Changes, (continued)
- Re: Mystery DNS Changes Joe Stewart (Oct 02)
- RE: Mystery DNS Changes Brown, James (Jim) (Oct 01)
- RE: Mystery DNS Changes Schmehl, Paul L (Oct 01)
- RE: Mystery DNS Changes David Vincent (Oct 01)
- RE: Mystery DNS Changes tom_gordon (Oct 01)
- RE: Mystery DNS Changes Harris, Michael C. (Oct 01)
- Re: Mystery DNS Changes Paul Tinsley (Oct 01)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 02)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 03)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: Mystery DNS Changes Paul Tinsley (Oct 01)
- RE: Mystery DNS Changes Kurt (Oct 02)
- Re: Mystery DNS Changes Joe Stewart (Oct 02)
- Re: Mystery DNS Changes Paul Tinsley (Oct 02)
- Re: Mystery DNS Changes KF (Oct 02)