[unisog] Fantastic browser exploit setting up spam relays

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Thu Oct 2 18:44:15 GMT 2003


This is a simple table of the # of unique hosts at UConn that have sent 
port 53 traffic to the 3 servers referenced in Full-Disclosure per day:

09-25 000
09-26 006
09-27 015
09-28 050
09-29 097
09-30 136
10-01 177
10-02 136 (so far)

The CERT made this announcement yesterday:

http://www.cert.org/incident_notes/IN-2003-04.html

Look for outbound 53/udp traffic to these servers to see how many hosts 
are infected in your network:

216.127.92.38
69.57.146.14
69.57.147.175

Maybe these too:

207.44.194.56
64.191.59.85
64.191.95.139

To be clear: the MS03-032 patch does *not* protect against this 
vulnerability.  MS has stated they will patch vs this (on cnn) but did not 
give a date.  Good luck!

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





Dax <dax at resnet.ucsb.edu>
10/02/2003 12:03 PM

 
        To:     unisog at sans.org
        cc: 
        Subject:        [unisog] Fantastic browser exploit setting up spam relays


                 Mornin' folks-

                 I've noticed ~100 or so users here infected with this:

http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html

                 Can I get a "Whoa, REDMOND!"?


/Dax







More information about the unisog mailing list