For anyone who wants to find any hosts behind their firewall that are still infected, you can post a firewall log into our public site, and we'll call out all attempts to contact the sinkhole servers (with the internal IPs), assuming you log outbound DNS or all connections.
http://www.threatstop.com/dnschanger We've been doing this for subscribers (including free community ones) since we got the sinkhole IPs from Andrew @ SIE/MAAWG. > -----Original Message----- > From: Eric J Esslinger [mailto:[email protected]] > Sent: Friday, July 06, 2012 11:10 AM > To: '[email protected]' > Subject: RE: DNS Changer items > > We verified one a while back, who had already had the problem fixed when > the FBI sent us the physical mail. Concidering number of internet customers > in the US vs our internet customers with known number of US subsribers > affected at it's height, I figure if the percentages are good we've taken care > of several times the number of likely cases on our network with that one > customer. > *wink* > I'm told by various sources to expect similar stories on the nightly national > news programs tonight, with a similar 'call your isp' ending. I've also heard the > site IS reachable via ipv6 and they are dealing with the load issues as we > speak (and some people are getting through, albiet slowly). > > I'm pretty comfortable about my network; I've been catching dns lookup > destinations from my users for months (not contents, just destination ip's) > and the list of outside addresses covers most of the well know public dns > servers (open dns, google, etc...) with the exception of a handful that seem > to be running their own full blown recursive caching servers, which go > everywhere looking for authoritative lookups. (One I knew about, he > complains because I won't allow his basic cable account act as an open server > for his DNS when he's out of town. If he wants a static IP I can arrange > opening the port, till then... He is always welcome to VPN into his home > network as well.) > > Been having callers look up their IP, then checking the query logs to see if > they hit our dns servers. So far I'm at 100% > > I thought of whipping up a script for my recursive DNS servers to setup a > webpage to let them see if they were accessing those servers, but I just > don't have time right now (fiscal year just started and everyone wants their > projects done 'now'.) > > Addendum: Site appears up and fast now. So that's something anyway. > > __________________________ > Eric Esslinger > Information Services Manager - Fayetteville Public Utilities http://www.fpu- > tn.com/ > (931)433-1522 ext 165 > > > > > -----Original Message----- > > From: Merike Kaeo [mailto:[email protected]] > > Sent: Friday, July 06, 2012 1:06 PM > > To: Cameron Byrne > > Cc: [email protected] > > Subject: Re: DNS Changer items > > > > > > The ISPs who have been proactive in mitigating and redirecting have > > been/are doing this. (global reach here) > > > > The court ordered DNS servers have been up since Nov 9th and lots of > > outreach done....the intent was a graceful ramp down. > > Sadly, the state of folks helping with overall malware cleanup is > > still lots of finger pointing. > > > > FUD with press and over sensationalism not helping. > > > > - merike > > > > > > On Jul 6, 2012, at 10:52 AM, Cameron Byrne wrote: > > > > > So insteading of turning the servers off, would it not have been > > > helpful to have the servers return a "captive portal" type > > of reponse > > > saying "hey, since you use this server, you are broken, go > > here to get > > > fixed" > > > > > > Seems that would have been a more graceful ramp down. > > > > > > CB > > > > > > > > This message may contain confidential and/or proprietary information and is > intended for the person/entity to whom it was originally addressed. Any use > by others is strictly prohibited.
