funsec mailing list archives
Re: Rogue DNS Servers
From: Jeff Kell <jeff-kell () utc edu>
Date: Wed, 28 Mar 2007 23:52:08 -0400
Fergie wrote:
Researchers of Trend Micro have identified a network of more than 115 rogue DNS servers that are used by a certain variant of TROJ_DNSCHANG. These DNSservers exhibit interesting behavior.
I get timeouts trying to reference the URL, so I can't get the details... but...
If you're talking about the Inhoster hooks, this has been going on for months. DNS clients are hijacked to point to various servers in 85.255.112.0/20.
Recently (last 48 hours) I've seen enduser queries out of our block (excluding our internal recursive servers) directed toward...
< Dst IP address > < Total # > 85.255.112.116 142085.255.112.183 3 85.255.116.53 1940 85.255.116.168 3
I don't see any other "out of the ordinary" outbound DNS, at least not clustered
Jeff
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Rogue DNS Servers Fergie (Mar 28)
- Re: Rogue DNS Servers Jeff Kell (Mar 28)