RE: Mystery DNS Changes

[tom_gordon () notes k12 hi us]

Is that non-disclosure notice on your sig supposed to be a joke?

Tom




Sent by:        full-disclosure-admin () lists netsys com
To:     "'Hansen, Kevin '" <kevin.hansen () thomson com>, 
"''full-disclosure () lists netsys com' '" <full-disclosure () lists netsys com>
cc: 
Subject:        RE: [Full-disclosure] Mystery DNS Changes



-----Original Message----- 
From: Hansen, Kevin 
To: 'full-disclosure () lists netsys com' 
Sent: 10/1/03 3:19 PM 
Subject: [Full-disclosure] Mystery DNS Changes 
We have seen multiple instances where DHCP enabled workstations have had 
their DNS reconfigured to point to two of the three addresses listed 
below. Can anyone else confirm this? Incidents.org is reporting an 
increase in port 53 traffic over the last two days. Are we looking at 
the precursor to the next worm? 
216.127.92.38 
69.57.146.14 
69.57.147.175 


Are these entries coming in the DHCP packets or are they being 
set *after* DHCP is complete?  Are compromised systems acting 
like DHCP servers stuffing their own DNS entries into 
specially crafted replies? 
Can you post traffic dumps? 
Best Regards, 
jpb 
=== 




Note:  The information contained in this message may be privileged and 
confidential and protected from disclosure.  If the reader of this message 
is not the intended recipient, or an employee or agent responsible for 
delivering this message to the intended recipient, you are hereby notified 
that any dissemination, distribution or copying of this communication is 
strictly prohibited.  If you have received this communication in error, 
please notify us immediately by replying to the message and deleting it 
from your computer. Thank you.  ThruPoint, Inc.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html