nanog mailing list archives
RE: dns.exe virus?
From: "Christopher J. Wolff" <chris () bblabs com>
Date: Mon, 8 Sep 2003 13:52:41 -0700
Chris, It was really odd. Here is an example of what the two hosts .3 and .4 were up to. 10.11.0.4:1420 64.215.170.28:53 64.215.170.28:53 10.11.0.3:4554 216.74.14.155:53 216.74.14.155:53 10.11.0.3:4554 216.239.38.10:53 216.239.38.10:53 10.11.0.3:4554 166.90.208.166:53 166.90.208.166:53 10.11.0.4:1420 192.35.51.30:53 192.35.51.30:53 10.11.0.4:1420 192.55.83.30:53 192.55.83.30:53 10.11.0.3:4554 64.24.79.2:53 64.24.79.2:53 10.11.0.3:4554 64.24.79.3:53 64.24.79.3:53 10.11.0.3:4554 64.24.79.5:53 64.24.79.5:53 10.11.0.3:4554 192.48.79.30:53 192.48.79.30:53 10.11.0.3:4554 205.166.226.38:53 205.166.226.38:53 10.11.0.3:4554 63.240.15.245:53 63.240.15.245:53 10.11.0.4:1420 192.36.148.17:53 192.36.148.17:53 10.11.0.4:1420 192.26.92.30:53 192.26.92.30:53 10.11.0.4:1420 192.43.172.30:53 192.43.172.30:53 10.11.0.3:4554 192.31.80.30:53 192.31.80.30:53 10.11.0.3:4554 213.161.66.159:53 213.161.66.159:53 10.11.0.4:1420 65.102.83.43:53 65.102.83.43:53 10.11.0.3:4554 216.239.32.10:53 216.239.32.10:53 10.11.0.3:4554 24.221.129.4:53 24.221.129.4:53 10.11.0.3:4554 24.221.129.5:53 24.221.129.5:53 10.11.0.4:1420 192.5.6.30:53 192.5.6.30:53 10.11.0.3:4554 128.121.26.10:53 128.121.26.10:53 10.11.0.3:4554 64.215.170.28:53 64.215.170.28:53 10.11.0.3:4554 65.102.83.43:53 65.102.83.43:53 10.11.0.4:1420 24.221.129.4:53 24.221.129.4:53 10.11.0.4:1420 24.221.129.5:53 24.221.129.5:53 10.11.0.3:4554 63.210.142.26:53 63.210.142.26:53 10.11.0.4:1420 192.41.162.30:53 192.41.162.30:53 10.11.0.4:1420 192.52.178.30:53 192.52.178.30:53 10.11.0.3:4554 192.5.6.30:53 192.5.6.30:53 10.11.0.3:4554 63.215.198.78:53 63.215.198.78:53 10.11.0.4:1420 64.215.170.28:53 64.215.170.28:53 10.11.0.3:4554 216.239.38.10:53 216.239.38.10:53 10.11.0.4:1420 192.55.83.30:53 192.55.83.30:53 10.11.0.3:4554 64.24.79.3:53 64.24.79.3:53 10.11.0.3:4554 205.166.226.38:53 205.166.226.38:53 10.11.0.4:1420 192.43.172.30:53 192.43.172.30:53 10.11.0.3:4554 63.240.144.98:53 63.240.144.98:53 Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Chris Lewis Sent: Monday, September 08, 2003 1:52 PM Cc: nanog () merit edu Subject: Re: dns.exe virus? Christopher J. Wolff wrote:
After tracking down what I believed was an attempted DOS attack, it turns out that two Windows 2000 servers, fully updated, were spewing
out
hundreds of port 53 requests. Upon further investigation dns.exe was hogging 99% of the CPU.
I haven't found any reference to this at CERT so I thought I would
drop
the occurrence into the nanog funnel to see what comes out. The
attack
started around 8AM MST. Thank you for your consideration.
I wonder if this is the tool used to attack Spamhaus, SPEWS and SORBS. Do you know what the requests were for?
Current thread:
- dns.exe virus? Christopher J. Wolff (Sep 08)
- RE: dns.exe virus? Ken Budd (Sep 08)
- RE: dns.exe virus? Stephen J. Wilcox (Sep 08)
- Re: dns.exe virus? Chris Lewis (Sep 08)
- RE: dns.exe virus? Christopher J. Wolff (Sep 08)
- Re: dns.exe virus? Chris Lewis (Sep 08)
- Re: dns.exe virus? bmanning (Sep 08)
- RE: dns.exe virus? Christopher J. Wolff (Sep 08)
- RE: dns.exe virus? Christopher J. Wolff (Sep 08)
- Re: dns.exe virus? Richard Cox (Sep 08)
- RE: dns.exe virus? Ken Budd (Sep 08)