Re: Mystery DNS Changes

[Danny Pansters <fulldiclosure () ricin com>]

On Wednesday 01 October 2003 21:19, Hansen, Kevin wrote:
> We have seen multiple instances where DHCP enabled workstations have
> had their DNS reconfigured to point to two of the three addresses
> listed below. Can anyone else confirm this? Incidents.org is
> reporting an increase in port 53 traffic over the last two days. Are
> we looking at the precursor to the next worm?
>
> 216.127.92.38
> 69.57.146.14
> 69.57.147.175
>
> -KJH

How bout asking admin () ev1 net? You likely have some spy/ad/pay ware on 
client machines. See lop.com and others.

There's crap traffic on port 53 all the time, I get speedera ping-like 
traffic on my port 53 several times a day. It's a verifiable swarm but 
no one at att, verio, uunet, whatever seem to care. My cable ISP told 
me I could start legal action. Yeah right. This is probably a common 
occurance.

I think you're mixing up two different issues here.

Dan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html