[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Mystery DNS Changes

To: "Hansen, Kevin" <kevin.hansen@thomson.com>
Subject: Re: [Full-Disclosure] Mystery DNS Changes
From: Danny Pansters <fulldiclosure@ricin.com>
Date: Thu, 2 Oct 2003 01:05:39 +0200

On Wednesday 01 October 2003 21:19, Hansen, Kevin wrote:
> We have seen multiple instances where DHCP enabled workstations have
> had their DNS reconfigured to point to two of the three addresses
> listed below. Can anyone else confirm this? Incidents.org is
> reporting an increase in port 53 traffic over the last two days. Are
> we looking at the precursor to the next worm?
>
> 216.127.92.38
> 69.57.146.14
> 69.57.147.175
>
> -KJH
>

How bout asking admin@ev1.net? You likely have some spy/ad/pay ware on 
client machines. See lop.com and others.

There's crap traffic on port 53 all the time, I get speedera ping-like 
traffic on my port 53 several times a day. It's a verifiable swarm but 
no one at att, verio, uunet, whatever seem to care. My cable ISP told 
me I could start legal action. Yeah right. This is probably a common 
occurance.

I think you're mixing up two different issues here.

Dan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Mystery DNS Changes
  - From: "Hansen, Kevin" <kevin.hansen@thomson.com>

Prev by Date: [Full-Disclosure] Red Hat Certification for... (however much you want to pay)
Next by Date: Re: [Full-Disclosure] Mystery DNS Changes
Previous by thread: Re: [Full-Disclosure] Mystery DNS Changes
Next by thread: Re: [Full-Disclosure] Mystery DNS Changes
Index(es):
- Date
- Thread