|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Something changing DNS server settings
From: Shannon (bip0dbrm001
SNEAKEMAIL.COM)
Date: Tue Sep 30 2003 - 23:07:22 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
We're having a strange thing in our domain. Various Windows 2000 professional workstations are changing the DNS servers they are configured to use. So far observed are spontantiously changing to 216.127.92.38 and 69.51.146.14. (Neither IP correctly reverse looks up, but both are hosted on "ev1.net") Due to our network topology, this breaks things pretty quickly as these servers cannot resolve our internal DNS. The former address is still responding as a DNS server, but the second is not as far as I can tell.)
Resetting the computer to autodetect the DNS server (use DHCP) restores the computer to normal funcitonality.
However, I strongly suspect a worm, virus or some kind of delibrate targeted attack. (Latest NAV defs are unable to detect anything on an affected machines as yet.) When I looked in the registry of one of the affected computers, I found this:
(as a trimmed exported registry file)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
"T2"=dword:3e057410
"LeaseTerminatesTime"=dword:3e067130
"LeaseObtainedTime"=dword:3dfe8830
"T1"=dword:3e027cb0
"NameServer"="69.57.146.14"
You'll notice that "windows" with "r0x" = "your s0x" which is pretty clear evidence of some kind of ne'er do well. I'm not sure if it's a local worm or something taking advantage of remote registry services or something, but it's not good. And the NameServer is supposed to be blank indicating automatic DHCP configuration.
(Changing the local machine's config in the network control panel appears to reset the entire hklm\system\ccs\services\parameters\intefaces key, removing this "r0x" entry.)
Anyone aware of anything that has this kind of behaviour? And what do I do to fix it? And what else has this thing done? So far, it has happened on four machines in our office.
I'll forward more information if I find any.
Thanks in advance,
Shannon McCracken
(if this email doesn't work, smccracken-at-tonkin-dot-co-dot-nz, but this address should work fine.)
----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]