[Dshield] Help: DNS (53)

Alan Frayer afrayer at frayernet.com
Fri Jan 2 20:38:51 GMT 2004


On Fri, 2004-01-02 at 13:41, Tod D. Ihde wrote:

> Do you have packet dumps? can we see what any of these packets contain?


No, sorry, the firewall stops the packets on the way in, and I have no
way of sampling them from outside the firewall, for a variety of
reasons.


> In addition, there is a (semi) new trojan that uses UDP/53 to 
> communicate with other infected machines. You may be seeing infected 
> machines try to see if you are also infected. Have you fingerprinted any 
> of the machines trying to contact you?


Again, no, but have suspected this was the case since the sudden
increase in UDP/53 traffic a couple months ago.

> afrayer at frayernet.com wrote:
>  >Thank you for replying, Chris. The target IPs are ISP-provided public
>  >IPs into private networks that are connected together through VPNs. >None
>  >of the private networks hold a DNS, and the only names they've been
>  >given are NetBIOS names (which I do not believe would apply here); they
>  >all exist within a simple NT domain.
> 
>  >I would have to answer no to both questions, so I'm probably right in
>  >rejecting the 53/UDP packets.
> 
> If any of these machines are Win2K or XP machines, they may be trying to 
> register their names with a DNS server, which would account for some 
> traffic. They'll retry periodicly.
> 
> Other than that, Chris is dead on, listen to him (except for load 
> balancing, there's no such thing ;) ).


Win98SE, and the sources appear to be very specific about which of my
IPs they want to break into. Usually only one or two IPs are targeted.



________________________________________________________________________

Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com 
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org 
 



More information about the list mailing list