Re: [despammed] Bogus DNS traffic
From: whiplash (whiplash_at_despammed.com)
Date: 10/24/03
- Previous message: Christopher L. Morrow: "RE: Bogus DNS traffic"
- In reply to: David Gillett: "Bogus DNS traffic"
- Next in thread: Mike Brownbill: "RE: Need help to find web server attacks signature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 24 Oct 2003 00:49:01 +0200 To: incidents@securityfocus.com
David Gillett wrote:
> I'm seeing random UDP packets to port 53 of random
> internal IP addresses. The source IP addresses are
> external, all over the map, although the one example
> I've gotten a good capture of bore the source MAC
> address of an internal server. (Whatever is spoofing
> the IP address *could* be spoofing the MAC address, but
> that would still indicate an origin inside our network....)
As reported elsewhere (see
http://cert.uni-stuttgart.de/archive/intrusions/2003/10/msg00168.html )
the origin of this malformed dns traffic could be a sort of trojan/worm
named kx.exe.
I just grabbed a copy of it following the procedure described in the
link reported above.
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
- Previous message: Christopher L. Morrow: "RE: Bogus DNS traffic"
- In reply to: David Gillett: "Bogus DNS traffic"
- Next in thread: Mike Brownbill: "RE: Need help to find web server attacks signature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
