Re: [funsec] Rogue DNS Servers
Fergie wrote: Researchers of Trend Micro have identified a network of more than 115 rogue DNS servers that are used by a certain variant of TROJ_DNSCHANG. These DNS servers exhibit interesting behavior. I get timeouts trying to reference the URL, so I can't get the details... but... If you're talking about the Inhoster hooks, this has been going on for months. DNS clients are hijacked to point to various servers in 85.255.112.0/20. Recently (last 48 hours) I've seen enduser queries out of our block (excluding our internal recursive servers) directed toward... < Dst IP address > < Total # > 85.255.112.116 1420 85.255.112.1833 85.255.116.53 1940 85.255.116.1683 I don't see any other "out of the ordinary" outbound DNS, at least not clustered Jeff ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Rogue DNS Servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A couple of colleagues (Feike Hacquebord and Chenghuai Lu) did this research and published this report. [snip] Researchers of Trend Micro have identified a network of more than 115 rogue DNS servers that are used by a certain variant of TROJ_DNSCHANG. These DNS servers exhibit interesting behavior. We found that the DNS servers resolve most existing domains correctly at the times we queried them. However, for non-existing domain names, the rogue DNS servers do not return the usual error message but they instead resolve the domain name to a malicious IP address. [snip] More detail: http://tmirt.trendmicro.com.ph/blog/2007/03/rogue_dns_servers.html - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFGCwtDq1pz9mNUZTMRAptdAKCvptaczL4/eAZj98b2+41Kq+5I9wCgu5bj HaxeEF9q8c44eD+VvDoTr6E= =42GU -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.