[Dshield] CA eTrust TARGET Advisory - Monitoring New "Attack"Activity

Rick Klinge rick at jaray.net
Thu Oct 2 01:15:07 GMT 2003


I don't know for sure .. but windows users might want to disable the remote
registry services.  I can't see how visiting a web site, with a patched
Microsoft system, would 'still' allow the execution/exploit to alter the
clients host file.  Could it be there is an exploit with the remote registry
service?  Yet another exploit, more plausible, would be the clients DNS
Client service.  I would think that one could disable this service and just
have the clients computer 'go upstream' to the real DNS server rather than
look to the clients cache 1st.  Hmm.. points to ponder.

~Rick



>-----Original Message-----
>From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
>Behalf Of Kenton Smith
>Sent: Wednesday, October 01, 2003 5:01 PM
>To: General DShield Discussion List
>Subject: Re: [Dshield] CA eTrust TARGET Advisory - Monitoring New
>"Attack"Activity
>
>
>Heh, pays to read your own posts sometimes. I guess this is changing the
>DNS settings on the workstation not the server. Still, it's an
>interesting way of getting people to visit the sites you want them to
>visit without them knowing.
>
>
>>On Wed, 2003-10-01 at 15:44, Kenton Smith wrote:
>> Anyone have any insight on this? I don't run any Windows DNS servers
>> externally, however it looks as though this happens through IE, so may
>> affect any Windows DNS server.
>>
>> They list a CERT advisory note - IN-2003-04, but this doesn't say
>> anything specifically about the DNS thing.
>>
>> Kenton
>>

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list