Re: [Snort-sigs] Re: [Full-Disclosure] Mystery DNS Changes

[Paul Schmehl <pauls@utdallas.edu>]

--On Friday, October 03, 2003 20:10:08 -0500 Paul Tinsley 
<pdt@jackhammer.org> wrote:

>     Yep it would, I threw those up real quick just to try and get some
> visibility as to how much we were being affected by it.  Didn't put much
> thought into it.  Just out of curiosity how many of those out there who
> are using this or other similar rules are still seeing traffic to those
> servers?  I have seen a steady flow of them even though the servers that
> were distributing the malicious code seem to be down.     I have written
> a script that gives me (from proxy logs) the union of all URLS visited by
> those "infected" and I can't seem to track down a common url that looks
> to be an infection vector.  Has anybody seen a mail based version of this?
We have three boxes in the student residences that are attempting to 
resolve using those addresses.  I don't think there's a new infection 
vector.  I think these are boxes that went to the Fortunecity site before 
it was taken down and so got infected.

They can't be resolving hosts now, so it's amazing to me that they haven't 
complained about it, but there you go.  Some students can go for months 
without reporting a problem.  ???

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html