Security Incidents mailing list archives
RE: Bogus DNS traffic
From: "Mike Anderson" <secure () spoofedpackets net>
Date: Wed, 22 Oct 2003 16:34:24 -0400
Dave, You might be seeing an increase in DNS traffic as results from this trojan. QHosts Trojan Horse added October 2 The CERT/CC has received reports of a new Trojan Horse program affecting Microsoft Windows systems. The QHosts or Qhosts-1 Trojan Horse has been reported to alter domain name service (DNS) settings on Windows systems and redirect users from legitimate web sites to those specified by the Trojan Horse program. The CERT/CC is tracking this activity as CERT#27882 and is interested in receiving reports thereof. Relevant artifacts or activity can be sent to cert () cert org with "CERT#27882" in the subject line. The CERT/CC strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date. I got this from cert's website. You might want to check that out. Mike Anderson Systems Engineer -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Wednesday, October 22, 2003 3:39 PM To: incidents () securityfocus com Subject: Bogus DNS traffic I'm seeing random UDP packets to port 53 of random internal IP addresses. The source IP addresses are external, all over the map, although the one example I've gotten a good capture of bore the source MAC address of an internal server. (Whatever is spoofing the IP address *could* be spoofing the MAC address, but that would still indicate an origin inside our network....) Does anyone recognize this? David Gillett ------------------------------------------------------------------------ --- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_incidents_031015 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_incidents_031015 ----------------------------------------------------------------------------
Current thread:
- Need help to find web server attacks signature Maxime Ducharme (Oct 22)
- Re: Need help to find web server attacks signature Muhammad Naseer (Oct 22)
- Re: Need help to find web server attacks signature Fatih Özavcı (Oct 23)
- Bogus DNS traffic David Gillett (Oct 22)
- RE: Bogus DNS traffic Mike Anderson (Oct 23)
- RE: Bogus DNS traffic David Gillett (Oct 23)
- Re: Bogus DNS traffic Brian Collins (Oct 23)
- Re: Bogus DNS traffic Robert Lowe (Oct 23)
- Re: [despammed] Bogus DNS traffic whiplash (Oct 24)
- RE: Bogus DNS traffic Mike Anderson (Oct 23)
- RE: Need help to find web server attacks signature Mike Brownbill (Oct 23)
- Re: Need help to find web server attacks signature Tri Huynh (Oct 24)
- Re: Need help to find web server attacks signature Muhammad Naseer (Oct 22)