dns.exe virus?

Christopher J. Wolff chris at bblabs.com
Mon Sep 8 20:52:41 UTC 2003


Chris,

It was really odd.  Here is an example of what the two hosts .3 and .4
were up to.

10.11.0.4:1420     64.215.170.28:53   64.215.170.28:53
10.11.0.3:4554     216.74.14.155:53   216.74.14.155:53
10.11.0.3:4554     216.239.38.10:53   216.239.38.10:53
10.11.0.3:4554     166.90.208.166:53  166.90.208.166:53
10.11.0.4:1420     192.35.51.30:53    192.35.51.30:53
10.11.0.4:1420     192.55.83.30:53    192.55.83.30:53
10.11.0.3:4554     64.24.79.2:53      64.24.79.2:53
10.11.0.3:4554     64.24.79.3:53      64.24.79.3:53
10.11.0.3:4554     64.24.79.5:53      64.24.79.5:53
10.11.0.3:4554     192.48.79.30:53    192.48.79.30:53
10.11.0.3:4554     205.166.226.38:53  205.166.226.38:53
10.11.0.3:4554     63.240.15.245:53   63.240.15.245:53
10.11.0.4:1420     192.36.148.17:53   192.36.148.17:53
10.11.0.4:1420     192.26.92.30:53    192.26.92.30:53 
10.11.0.4:1420     192.43.172.30:53   192.43.172.30:53
10.11.0.3:4554     192.31.80.30:53    192.31.80.30:53
10.11.0.3:4554     213.161.66.159:53  213.161.66.159:53
10.11.0.4:1420     65.102.83.43:53    65.102.83.43:53
10.11.0.3:4554     216.239.32.10:53   216.239.32.10:53
10.11.0.3:4554     24.221.129.4:53    24.221.129.4:53
10.11.0.3:4554     24.221.129.5:53    24.221.129.5:53
10.11.0.4:1420     192.5.6.30:53      192.5.6.30:53
10.11.0.3:4554     128.121.26.10:53   128.121.26.10:53
10.11.0.3:4554     64.215.170.28:53   64.215.170.28:53
10.11.0.3:4554     65.102.83.43:53    65.102.83.43:53
10.11.0.4:1420     24.221.129.4:53    24.221.129.4:53
10.11.0.4:1420     24.221.129.5:53    24.221.129.5:53
10.11.0.3:4554     63.210.142.26:53   63.210.142.26:53
10.11.0.4:1420     192.41.162.30:53   192.41.162.30:53
10.11.0.4:1420     192.52.178.30:53   192.52.178.30:53
10.11.0.3:4554     192.5.6.30:53      192.5.6.30:53
10.11.0.3:4554     63.215.198.78:53   63.215.198.78:53
10.11.0.4:1420     64.215.170.28:53   64.215.170.28:53
10.11.0.3:4554     216.239.38.10:53   216.239.38.10:53
10.11.0.4:1420     192.55.83.30:53    192.55.83.30:53
10.11.0.3:4554     64.24.79.3:53      64.24.79.3:53
10.11.0.3:4554     205.166.226.38:53  205.166.226.38:53
10.11.0.4:1420     192.43.172.30:53   192.43.172.30:53
10.11.0.3:4554     63.240.144.98:53   63.240.144.98:53

Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com 

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Chris Lewis
Sent: Monday, September 08, 2003 1:52 PM
Cc: nanog at merit.edu
Subject: Re: dns.exe virus?


Christopher J. Wolff wrote:

> After tracking down what I believed was an attempted DOS attack, it
> turns out that two Windows 2000 servers, fully updated, were spewing
out
> hundreds of port 53 requests.  Upon further investigation dns.exe was
> hogging 99% of the CPU.  

> I haven't found any reference to this at CERT so I thought I would
drop
> the occurrence into the nanog funnel to see what comes out.  The
attack
> started around 8AM MST.  Thank you for your consideration.

I wonder if this is the tool used to attack Spamhaus, SPEWS and SORBS.

Do you know what the requests were for?





More information about the NANOG mailing list