Full Disclosure mailing list archives

Re: Mystery DNS Changes

From: Gary Flynn <flynngn () jmu edu>
Date: Wed, 01 Oct 2003 16:04:33 -0400



Hansen, Kevin wrote:

We have seen multiple instances where DHCP enabled workstations have had
their DNS reconfigured to point to two of the three addresses listed below.
Can anyone else confirm this? Incidents.org is reporting an increase in port
53 traffic over the last two days. Are we looking at the precursor to the
next worm?


This is currently being discussed on NTBUGTRAQ too.


--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Mystery DNS Changes Hansen, Kevin (Oct 01)
- Re: Mystery DNS Changes Gary Flynn (Oct 01)
  - Re: Mystery DNS Changes Brian Eckman (Oct 01)
  - Re: Mystery DNS Changes Russell Fulton (Oct 01)
- Re: Mystery DNS Changes Mary Landesman (Oct 01)
- Message not available
  - Re: Mystery DNS Changes Mike Tancsa (Oct 01)
- Re: Mystery DNS Changes Danny Pansters (Oct 01)
- Re: Mystery DNS Changes Joe Stewart (Oct 02)
- <Possible follow-ups>
- RE: Mystery DNS Changes Brown, James (Jim) (Oct 01)
- RE: Mystery DNS Changes Schmehl, Paul L (Oct 01)
- RE: Mystery DNS Changes David Vincent (Oct 01)
- RE: Mystery DNS Changes tom_gordon (Oct 01)

(Thread continues...)