[Dshield] Help: DNS (53)
afrayer at frayernet.com
Fri Jan 2 20:38:51 GMT 2004
On Fri, 2004-01-02 at 13:41, Tod D. Ihde wrote:
> Do you have packet dumps? can we see what any of these packets contain?
No, sorry, the firewall stops the packets on the way in, and I have no
way of sampling them from outside the firewall, for a variety of
> In addition, there is a (semi) new trojan that uses UDP/53 to
> communicate with other infected machines. You may be seeing infected
> machines try to see if you are also infected. Have you fingerprinted any
> of the machines trying to contact you?
Again, no, but have suspected this was the case since the sudden
increase in UDP/53 traffic a couple months ago.
> afrayer at frayernet.com wrote:
> >Thank you for replying, Chris. The target IPs are ISP-provided public
> >IPs into private networks that are connected together through VPNs. >None
> >of the private networks hold a DNS, and the only names they've been
> >given are NetBIOS names (which I do not believe would apply here); they
> >all exist within a simple NT domain.
> >I would have to answer no to both questions, so I'm probably right in
> >rejecting the 53/UDP packets.
> If any of these machines are Win2K or XP machines, they may be trying to
> register their names with a DNS server, which would account for some
> traffic. They'll retry periodicly.
> Other than that, Chris is dead on, listen to him (except for load
> balancing, there's no such thing ;) ).
Win98SE, and the sources appear to be very specific about which of my
IPs they want to break into. Usually only one or two IPs are targeted.
Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org
More information about the list