[61889] in North American Network Operators' Group
RE: dns.exe virus?
daemon@ATHENA.MIT.EDU (Christopher J. Wolff)
Mon Sep 8 16:53:22 2003
From: "Christopher J. Wolff" <chris@bblabs.com>
To: "'Chris Lewis'" <clewis@nortelnetworks.com>
Cc: <nanog@merit.edu>
Date: Mon, 8 Sep 2003 13:52:41 -0700
In-Reply-To: <3F5CEBF7.4060305@americasm01.nt.com>
Errors-To: owner-nanog-outgoing@merit.edu
Chris,
It was really odd. Here is an example of what the two hosts .3 and .4
were up to.
10.11.0.4:1420 64.215.170.28:53 64.215.170.28:53
10.11.0.3:4554 216.74.14.155:53 216.74.14.155:53
10.11.0.3:4554 216.239.38.10:53 216.239.38.10:53
10.11.0.3:4554 166.90.208.166:53 166.90.208.166:53
10.11.0.4:1420 192.35.51.30:53 192.35.51.30:53
10.11.0.4:1420 192.55.83.30:53 192.55.83.30:53
10.11.0.3:4554 64.24.79.2:53 64.24.79.2:53
10.11.0.3:4554 64.24.79.3:53 64.24.79.3:53
10.11.0.3:4554 64.24.79.5:53 64.24.79.5:53
10.11.0.3:4554 192.48.79.30:53 192.48.79.30:53
10.11.0.3:4554 205.166.226.38:53 205.166.226.38:53
10.11.0.3:4554 63.240.15.245:53 63.240.15.245:53
10.11.0.4:1420 192.36.148.17:53 192.36.148.17:53
10.11.0.4:1420 192.26.92.30:53 192.26.92.30:53
10.11.0.4:1420 192.43.172.30:53 192.43.172.30:53
10.11.0.3:4554 192.31.80.30:53 192.31.80.30:53
10.11.0.3:4554 213.161.66.159:53 213.161.66.159:53
10.11.0.4:1420 65.102.83.43:53 65.102.83.43:53
10.11.0.3:4554 216.239.32.10:53 216.239.32.10:53
10.11.0.3:4554 24.221.129.4:53 24.221.129.4:53
10.11.0.3:4554 24.221.129.5:53 24.221.129.5:53
10.11.0.4:1420 192.5.6.30:53 192.5.6.30:53
10.11.0.3:4554 128.121.26.10:53 128.121.26.10:53
10.11.0.3:4554 64.215.170.28:53 64.215.170.28:53
10.11.0.3:4554 65.102.83.43:53 65.102.83.43:53
10.11.0.4:1420 24.221.129.4:53 24.221.129.4:53
10.11.0.4:1420 24.221.129.5:53 24.221.129.5:53
10.11.0.3:4554 63.210.142.26:53 63.210.142.26:53
10.11.0.4:1420 192.41.162.30:53 192.41.162.30:53
10.11.0.4:1420 192.52.178.30:53 192.52.178.30:53
10.11.0.3:4554 192.5.6.30:53 192.5.6.30:53
10.11.0.3:4554 63.215.198.78:53 63.215.198.78:53
10.11.0.4:1420 64.215.170.28:53 64.215.170.28:53
10.11.0.3:4554 216.239.38.10:53 216.239.38.10:53
10.11.0.4:1420 192.55.83.30:53 192.55.83.30:53
10.11.0.3:4554 64.24.79.3:53 64.24.79.3:53
10.11.0.3:4554 205.166.226.38:53 205.166.226.38:53
10.11.0.4:1420 192.43.172.30:53 192.43.172.30:53
10.11.0.3:4554 63.240.144.98:53 63.240.144.98:53
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Chris Lewis
Sent: Monday, September 08, 2003 1:52 PM
Cc: nanog@merit.edu
Subject: Re: dns.exe virus?
Christopher J. Wolff wrote:
> After tracking down what I believed was an attempted DOS attack, it
> turns out that two Windows 2000 servers, fully updated, were spewing
out
> hundreds of port 53 requests. Upon further investigation dns.exe was
> hogging 99% of the CPU.
> I haven't found any reference to this at CERT so I thought I would
drop
> the occurrence into the nanog funnel to see what comes out. The
attack
> started around 8AM MST. Thank you for your consideration.
I wonder if this is the tool used to attack Spamhaus, SPEWS and SORBS.
Do you know what the requests were for?
