[Dshield] QHOSTS-1 - DNS/Hosts file issues

Daniel Hay danny at eboundary.com
Thu Oct 2 17:43:26 GMT 2003


> So, anybody know any URLs for these that we can (at least temporarily)
> block at the proxy?
>

This is an email sent to NNTBUGTRAQ yesterday.


----- Original Message -----
From: "Shannon" <bip0dbrm001 at SNEAKEMAIL.COM>
To: <NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM>
Sent: Wednesday, October 01, 2003 12:07 AM
Subject: Something changing DNS server settings


We're having a strange thing in our domain.  Various Windows 2000  
professional workstations are changing the DNS servers they are  
configured to use.  So far observed are spontantiously changing to  
216.127.92.38 and 69.51.146.14.  (Neither IP correctly reverse looks  
up, but both are hosted on "ev1.net")  Due to our network topology,  
this breaks things pretty quickly as these servers cannot resolve our  
internal DNS.  The former address is still responding as a DNS server,  
but the second is not as far as I can tell.)

Resetting the computer to autodetect the DNS server (use DHCP) restores  
the computer to normal funcitonality.

However, I strongly suspect a worm, virus or some kind of delibrate  
targeted attack.  (Latest NAV defs are unable to detect anything on an  
affected machines as yet.)  When I looked in the registry of one of the  
affected computers, I found this:

(as a trimmed exported registry file)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I 
nter
faces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I 
nter
faces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
"T2"=dword:3e057410
"LeaseTerminatesTime"=dword:3e067130
"LeaseObtainedTime"=dword:3dfe8830
"T1"=dword:3e027cb0
"NameServer"="69.57.146.14"

You'll notice that "windows" with "r0x" = "your s0x" which is pretty  
clear evidence of some kind of ne'er do well.  I'm not sure if it's a  
local worm or something taking advantage of remote registry services or  
something, but it's not good.  And the NameServer is supposed to be  
blank indicating automatic DHCP configuration.

(Changing the local machine's config in the network control panel  
appears to reset the entire  
hklm\system\ccs\services\parameters\intefaces key, removing this "r0x"  
entry.)

Anyone aware of anything that has this kind of behaviour?  And what do  
I do to fix it?  And what else has this thing done?  So far, it has  
happened on four machines in our office.

I'll forward more information if I find any.

Thanks in advance,

Shannon McCracken
(if this email doesn't work, smccracken-at-tonkin-dot-co-dot-nz, but  
this address should work fine.)

----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner  
certification is one of the hottest IT credentials available.  And now,  
for a limited time, you can save 33% off of the TICSA certification  
exam! To learn more about the TICSA certification, and to register as a  
TICSA candidate online, just go to

http://www.trusecure.com/offer/s0100/




More information about the list mailing list