[Dshield] increase port 53 traffic and compromised hosts

Bob Savage bsavage at rnr-inc.com
Thu Jan 22 12:07:52 GMT 2004


The Fishhook Installer seems to be part of the WildTangent package.  WildTangent is adware but it can be uninstalled without too much trouble.  I've cleaned it off one machine several times (boss's son).  There are instructions on the PestPatrol web site and I'm sure elsewhere as well.

Bob Savage
IT Manager
RNR, Inc.


-----Original Message-----
From: Deb Hale [mailto:haled at pionet.net]
Sent: Wednesday, January 21, 2004 9:51 PM
To: General DShield Discussion List
Subject: Re: [Dshield] increase port 53 traffic and compromised hosts



Pete,
Are you sure it is not Wild Tangent?  I have dealt with that before. Never
heard of WildTargets.
Deb

----- Original Message ----- 
From: "Pete Cap" <peteoutside at yahoo.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Wednesday, January 21, 2004 8:53 PM
Subject: Re: [Dshield] increase port 53 traffic and compromised hosts


Just something I thought I would note...
My folks's firewall continually blocks attempts by some parasite which came
with AIM to connect to WildTargets (a spyware firm, apparently) in order to
update itself.

Today it started trying to make connections on port 53 with various other
IPs on Cox.

The program is called the "Fishhook Installer" and I can't find any info for
it on google.

Any ideas?

Regards,
Pete

Pete Cap <peteoutside at yahoo.com> wrote:
Just a quick question...

Have you tried correlating this activity with anything else?

What other significant recon or "apparent" DDoS are you seeing?

Regards,
Pete

Alan Frayer wrote:
On Mon, 2004-01-19 at 16:57, hostmaster at denverdata.com wrote:

> We're receiving an interesting surge in DNS traffic that began approx. 3PM
MST
> on Jan 18. The surge is interesting in that:
>
> * we do not have a publicly accessible DNS server at the target of the
traffic
> * all traffic is originating from 17 unique hosts (most in the ev1.net
space,
> 1 host in aol.com)
> * the traffic appears to be legitimate DNS name queries -- one captured
> request was for 217-125-299-77.UC.NOMBRES.TTD.ES
> * for any given host, the same source port is always used. For a few of
the
> hosts the source port flip-flops between two ports.
> * at least two of the hosts appear to be compromised Windows boxes w/open
port
> 27374 (SubSeven)


A consulting client of mine has had similar issues, with attacks on only
one public IP, however we lack the necessary components to capture the
packets and further analyze them (I'm lucky that I can send Dshield the
reports and participate in the Fightback program). These port 53 attacks
make up the majority of attacks to this company's IPs (even with 6 IPs
reporting), yet they don't actually shut down the bandwidth, so the
company isn't requesting further action on my part.

The funny thing is, I haven't been able to rally enough support from
anyone to actually do anything with them. They don't individually have
enough targets to allow me to request a Fightback on them, and I don't
see where I have enough leverage on my own.




________________________________________________________________________

Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

---------------------------------
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

---------------------------------
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list