[Dshield] QHOSTS-1 - DNS/Hosts file issues
danny at eboundary.com
Thu Oct 2 17:43:26 GMT 2003
> So, anybody know any URLs for these that we can (at least temporarily)
> block at the proxy?
This is an email sent to NNTBUGTRAQ yesterday.
----- Original Message -----
From: "Shannon" <bip0dbrm001 at SNEAKEMAIL.COM>
To: <NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM>
Sent: Wednesday, October 01, 2003 12:07 AM
Subject: Something changing DNS server settings
We're having a strange thing in our domain. Various Windows 2000
professional workstations are changing the DNS servers they are
configured to use. So far observed are spontantiously changing to
22.214.171.124 and 126.96.36.199. (Neither IP correctly reverse looks
up, but both are hosted on "ev1.net") Due to our network topology,
this breaks things pretty quickly as these servers cannot resolve our
internal DNS. The former address is still responding as a DNS server,
but the second is not as far as I can tell.)
Resetting the computer to autodetect the DNS server (use DHCP) restores
the computer to normal funcitonality.
However, I strongly suspect a worm, virus or some kind of delibrate
targeted attack. (Latest NAV defs are unable to detect anything on an
affected machines as yet.) When I looked in the registry of one of the
affected computers, I found this:
(as a trimmed exported registry file)
You'll notice that "windows" with "r0x" = "your s0x" which is pretty
clear evidence of some kind of ne'er do well. I'm not sure if it's a
local worm or something taking advantage of remote registry services or
something, but it's not good. And the NameServer is supposed to be
blank indicating automatic DHCP configuration.
(Changing the local machine's config in the network control panel
appears to reset the entire
hklm\system\ccs\services\parameters\intefaces key, removing this "r0x"
Anyone aware of anything that has this kind of behaviour? And what do
I do to fix it? And what else has this thing done? So far, it has
happened on four machines in our office.
I'll forward more information if I find any.
Thanks in advance,
(if this email doesn't work, smccracken-at-tonkin-dot-co-dot-nz, but
this address should work fine.)
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now,
for a limited time, you can save 33% off of the TICSA certification
exam! To learn more about the TICSA certification, and to register as a
TICSA candidate online, just go to
More information about the list