OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Christopher Beers (ctbeerssyr.edu)
Date: Wed Feb 27 2002 - 22:12:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The first address seems to be registered to the DNS server EAST.UNHCA.COM. Try sending email to abuse/postmasterunhca.com. This may help.

    I found this information doing a whois search of the first IP address.

    Regards,

    Christopher T. Beers
    UNIX Systems Engineer
    Syracuse University - Computing and Media Services
    (315) 443-4103 Office (315) 443-1621 Fax

    >>> "Anthony Buser" <ABuserUnConundrum.com> 02/27/02 05:35PM >>>
    We are having the exact same problem as this today! Glad (sort of) that
    I'm not alone. My research has turned up virtually no other discussion
    relating to this.

    The problem definitly appears to be dns poisoning. We're running win2k
    DNS. Clearing the cache on the DNS servers and doing an ipconfig
    /flushdns on the workstations fixed the problem. However it did start
    to creep back and started happening again this afternoon.

    When we check the DNS event viewer logs, we keep seeing the following
    messages:

    "event id: 5504, The DNS server encountered an invalid domain name in a
    packet from x.x.x.x. The packet is rejected."

    From the following ip addresses over and over again:

    63.239.93.60
    63.239.93.61
    66.60.156.146

    All of which appear to belong to the University of New Haven. I tried
    contacting them via email but all addresses to newhaven.com appear to
    fail. I have contacted upstream people, awaiting response. That last
    ip address 66.60.156.146 worries me that someone is messing around
    because it lists courses having to do with firewalls, viruses, and
    cyberterrorism (gah!).

    I'm running snort, but it hasn't seemed to pick up anything unusual.

    I tried running tcpdump on our linux firewall to try and see what's
    going on. Unfortunately I'm not very experienced with reading tcpdump
    output, so I don't quite know whats going on:

    tcpdump -vvne src host 66.60.156.146 or 63.239.93.60 or 63.239.93.61

    13:37:48.274749 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
    66.60.156.146.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
    all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
    www.all.net., all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl
    53, id 17536)
    13:37:48.274865 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
    66.60.156.146.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
    all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
    www.all.net., all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl
    52, id 17536)
    13:37:48.314866 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
    63.239.93.61.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
    all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
    www.all.net., all.net. PTR localhost., all.net. (153) (ttl 57, id 39714)
    13:37:48.314972 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
    63.239.93.61.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
    all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
    www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56, id 39714)
    13:37:52.339289 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
    63.239.93.60.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
    all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
    www.all.net., all.net. PTR localhost., all.net. (153) (ttl 57, id 16316)
    13:37:52.339350 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
    63.239.93.60.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
    all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
    www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56, id 16316)

    Unfortunately I'm not knowledgable enough to understand what tcpdump is
    saying to me.

    -----Original Message-----
    From: Matthew.van.Eerdehbinc.com [mailto:Matthew.van.Eerdehbinc.com]
    Sent: Tuesday, February 26, 2002 11:29 AM
    To: focus-mssecurityfocus.com
    Cc: focus-virussecurityfocus.com
    Subject: browser redirection to forward.domainname.at

    A strange problem is surfacing on our network. Users will type in a
    website
    they have been to before, and they will be forwarded to

    http://forward.domainname.at/http://212.69.172.16/forward.php
    and then to
    http://212.69.172.16/forward.php

    Have we been hit by a virus? Or is there some name resolution hack on
    the
    internet?

    Typing in the ip address of a site
    http://216.168.252.86 for http://www.verisign.com for example
    goes to the correct site. nslookup prompts from the command line yeild
    the
    correct IP address.

    Workstations are Windows 2000 Professional SP2 with IE 6.

    Matthew van Eerde
    Software Engineer