RE: [Full-Disclosure] Mystery DNS Changes

Wed, 01 Oct 2003 15:31:06 -0700

Title: Message
-----Original Message-----
From: Hansen, Kevin [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 01, 2003 2:19 PM
To: '[EMAIL PROTECTED]'
Subject: [Full-Disclosure] Mystery DNS Changes

We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm?

216.127.92.38
69.57.146.14
69.57.147.175  

 

According to McAfee:

This is the QHosts-1 trojan http://vil.nai.com/vil/content/v_100719.htm

 

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

Reply via email to