Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: [Dshield] QHOSTS-1 - DNS/Hosts file issues
.

  • To: General DShield Discussion List <[EMAIL PROTECTED]>
  • Subject: Re: [Dshield] QHOSTS-1 - DNS/Hosts file issues
  • From: Daniel Hay <[EMAIL PROTECTED]>
  • Date: Thu, 02 Oct 2003 13:43:26 -0400
  • In-reply-to: <[EMAIL PROTECTED]>
  • Old-x-envelope-to: [EMAIL PROTECTED]
  • Reply-to: General DShield Discussion List <[EMAIL PROTECTED]>
  • Sender: [EMAIL PROTECTED]
.
 


So, anybody know any URLs for these that we can (at least temporarily)
block at the proxy?



This is an email sent to NNTBUGTRAQ yesterday.


----- Original Message -----
From: "Shannon" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 01, 2003 12:07 AM
Subject: Something changing DNS server settings
We're having a strange thing in our domain. Various Windows 2000 professional workstations are changing the DNS servers they are configured to use. So far observed are spontantiously changing to 216.127.92.38 and 69.51.146.14. (Neither IP correctly reverse looks up, but both are hosted on "ev1.net") Due to our network topology, this breaks things pretty quickly as these servers cannot resolve our internal DNS. The former address is still responding as a DNS server, but the second is not as far as I can tell.)
Resetting the computer to autodetect the DNS server (use DHCP) restores the computer to normal funcitonality.
However, I strongly suspect a worm, virus or some kind of delibrate targeted attack. (Latest NAV defs are unable to detect anything on an affected machines as yet.) When I looked in the registry of one of the affected computers, I found this: 

(as a trimmed exported registry file)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I nter 
faces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I nter 
faces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
"T2"=dword:3e057410
"LeaseTerminatesTime"=dword:3e067130
"LeaseObtainedTime"=dword:3dfe8830
"T1"=dword:3e027cb0
"NameServer"="69.57.146.14"
You'll notice that "windows" with "r0x" = "your s0x" which is pretty clear evidence of some kind of ne'er do well. I'm not sure if it's a local worm or something taking advantage of remote registry services or something, but it's not good. And the NameServer is supposed to be blank indicating automatic DHCP configuration.
(Changing the local machine's config in the network control panel appears to reset the entire hklm\system\ccs\services\parameters\intefaces key, removing this "r0x" entry.)
Anyone aware of anything that has this kind of behaviour? And what do I do to fix it? And what else has this thing done? So far, it has happened on four machines in our office. 

I'll forward more information if I find any.

Thanks in advance,

Shannon McCracken
(if this email doesn't work, smccracken-at-tonkin-dot-co-dot-nz, but this address should work fine.) 

----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to 

http://www.trusecure.com/offer/s0100/

_______________________________________________
list mailing list
[EMAIL PROTECTED]
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.