Security Incidents mailing list archives
RE: Bogus DNS traffic
From: "Mike Anderson" <secure () spoofedpackets net>
Date: Wed, 22 Oct 2003 16:34:24 -0400
Dave,
You might be seeing an increase in DNS traffic as results from
this trojan.
QHosts Trojan Horse
added October 2
The CERT/CC has received reports of a new Trojan Horse program affecting
Microsoft Windows systems. The QHosts or Qhosts-1 Trojan Horse has been
reported to alter domain name service (DNS) settings on Windows systems
and redirect users from legitimate web sites to those specified by the
Trojan Horse program. The CERT/CC is tracking this activity as
CERT#27882 and is interested in receiving reports thereof. Relevant
artifacts or activity can be sent to cert () cert org with "CERT#27882" in
the subject line.
The CERT/CC strongly encourages users to install anti-virus software,
and keep its virus signature files up-to-date.
I got this from cert's website. You might want to check that out.
Mike Anderson
Systems Engineer
-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu]
Sent: Wednesday, October 22, 2003 3:39 PM
To: incidents () securityfocus com
Subject: Bogus DNS traffic
I'm seeing random UDP packets to port 53 of random
internal IP addresses. The source IP addresses are
external, all over the map, although the one example
I've gotten a good capture of bore the source MAC
address of an internal server. (Whatever is spoofing
the IP address *could* be spoofing the MAC address, but
that would still indicate an origin inside our network....)
Does anyone recognize this?
David Gillett
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------
Current thread:
- Need help to find web server attacks signature Maxime Ducharme (Oct 22)
- Re: Need help to find web server attacks signature Muhammad Naseer (Oct 22)
- Re: Need help to find web server attacks signature Fatih Özavcı (Oct 23)
- Bogus DNS traffic David Gillett (Oct 22)
- RE: Bogus DNS traffic Mike Anderson (Oct 23)
- RE: Bogus DNS traffic David Gillett (Oct 23)
- Re: Bogus DNS traffic Brian Collins (Oct 23)
- Re: Bogus DNS traffic Robert Lowe (Oct 23)
- Re: [despammed] Bogus DNS traffic whiplash (Oct 24)
- RE: Bogus DNS traffic Mike Anderson (Oct 23)
- RE: Need help to find web server attacks signature Mike Brownbill (Oct 23)
- Re: Need help to find web server attacks signature Tri Huynh (Oct 24)
- Re: Need help to find web server attacks signature Muhammad Naseer (Oct 22)