nanog mailing list archives

RE: dns.exe virus?

From: "Christopher J. Wolff" <chris () bblabs com>
Date: Mon, 8 Sep 2003 13:52:41 -0700


Chris,

It was really odd.  Here is an example of what the two hosts .3 and .4
were up to.

10.11.0.4:1420     64.215.170.28:53   64.215.170.28:53
10.11.0.3:4554     216.74.14.155:53   216.74.14.155:53
10.11.0.3:4554     216.239.38.10:53   216.239.38.10:53
10.11.0.3:4554     166.90.208.166:53  166.90.208.166:53
10.11.0.4:1420     192.35.51.30:53    192.35.51.30:53
10.11.0.4:1420     192.55.83.30:53    192.55.83.30:53
10.11.0.3:4554     64.24.79.2:53      64.24.79.2:53
10.11.0.3:4554     64.24.79.3:53      64.24.79.3:53
10.11.0.3:4554     64.24.79.5:53      64.24.79.5:53
10.11.0.3:4554     192.48.79.30:53    192.48.79.30:53
10.11.0.3:4554     205.166.226.38:53  205.166.226.38:53
10.11.0.3:4554     63.240.15.245:53   63.240.15.245:53
10.11.0.4:1420     192.36.148.17:53   192.36.148.17:53
10.11.0.4:1420     192.26.92.30:53    192.26.92.30:53 
10.11.0.4:1420     192.43.172.30:53   192.43.172.30:53
10.11.0.3:4554     192.31.80.30:53    192.31.80.30:53
10.11.0.3:4554     213.161.66.159:53  213.161.66.159:53
10.11.0.4:1420     65.102.83.43:53    65.102.83.43:53
10.11.0.3:4554     216.239.32.10:53   216.239.32.10:53
10.11.0.3:4554     24.221.129.4:53    24.221.129.4:53
10.11.0.3:4554     24.221.129.5:53    24.221.129.5:53
10.11.0.4:1420     192.5.6.30:53      192.5.6.30:53
10.11.0.3:4554     128.121.26.10:53   128.121.26.10:53
10.11.0.3:4554     64.215.170.28:53   64.215.170.28:53
10.11.0.3:4554     65.102.83.43:53    65.102.83.43:53
10.11.0.4:1420     24.221.129.4:53    24.221.129.4:53
10.11.0.4:1420     24.221.129.5:53    24.221.129.5:53
10.11.0.3:4554     63.210.142.26:53   63.210.142.26:53
10.11.0.4:1420     192.41.162.30:53   192.41.162.30:53
10.11.0.4:1420     192.52.178.30:53   192.52.178.30:53
10.11.0.3:4554     192.5.6.30:53      192.5.6.30:53
10.11.0.3:4554     63.215.198.78:53   63.215.198.78:53
10.11.0.4:1420     64.215.170.28:53   64.215.170.28:53
10.11.0.3:4554     216.239.38.10:53   216.239.38.10:53
10.11.0.4:1420     192.55.83.30:53    192.55.83.30:53
10.11.0.3:4554     64.24.79.3:53      64.24.79.3:53
10.11.0.3:4554     205.166.226.38:53  205.166.226.38:53
10.11.0.4:1420     192.43.172.30:53   192.43.172.30:53
10.11.0.3:4554     63.240.144.98:53   63.240.144.98:53

Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com 

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
Chris Lewis
Sent: Monday, September 08, 2003 1:52 PM
Cc: nanog () merit edu
Subject: Re: dns.exe virus?


Christopher J. Wolff wrote:

After tracking down what I believed was an attempted DOS attack, it
turns out that two Windows 2000 servers, fully updated, were spewing

out

hundreds of port 53 requests.  Upon further investigation dns.exe was
hogging 99% of the CPU.

I haven't found any reference to this at CERT so I thought I would

drop

the occurrence into the nanog funnel to see what comes out.  The

attack

started around 8AM MST.  Thank you for your consideration.


I wonder if this is the tool used to attack Spamhaus, SPEWS and SORBS.

Do you know what the requests were for?

Current thread:

dns.exe virus? Christopher J. Wolff (Sep 08)
- RE: dns.exe virus? Ken Budd (Sep 08)
  - RE: dns.exe virus? Stephen J. Wilcox (Sep 08)
- Re: dns.exe virus? Chris Lewis (Sep 08)
  - RE: dns.exe virus? Christopher J. Wolff (Sep 08)
    - Re: dns.exe virus? Chris Lewis (Sep 08)
    - Re: dns.exe virus? bmanning (Sep 08)
    - RE: dns.exe virus? Christopher J. Wolff (Sep 08)
    - Re: dns.exe virus? Richard Cox (Sep 08)