|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Full-Disclosure] Mystery DNS Changes
From: Schmehl, Paul L (pauls
utdallas.edu)
Date: Wed Oct 01 2003 - 16:25:02 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----Original Message-----
From: Hansen, Kevin [mailto:kevin.hansenthomson.com]
Sent: Wednesday, October 01, 2003 2:19 PM
To: 'full-disclosurelists.netsys.com'
Subject: [Full-Disclosure] Mystery DNS Changes
We have seen multiple instances where DHCP enabled workstations
have had their DNS reconfigured to point to two of the three addresses
listed below. Can anyone else confirm this? Incidents.org is reporting
an increase in port 53 traffic over the last two days. Are we looking at
the precursor to the next worm?
216.127.92.38
69.57.146.14
69.57.147.175
According to McAfee:
This is the QHosts-1 trojan
http://vil.nai.com/vil/content/v_100719.htm
<http://vil.nai.com/vil/content/v_100719.htm>
Paul Schmehl (paulsutdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]