[61890] in North American Network Operators' Group
RE: dns.exe virus?
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Mon Sep 8 16:56:28 2003
Date: Mon, 8 Sep 2003 21:55:31 +0100 (BST)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: Ken Budd <kbudd@702com.net>
Cc: nanog@merit.edu
In-Reply-To: <005601c37648$b18f3060$0b0114ac@gimp>
Errors-To: owner-nanog-outgoing@merit.edu
I have seen MS DNS go into some kind of resolving loop madness where for some
reason it continually tries lookups.. in the cases when I've seen it, it has
been a customer server which seemed to loop on some lame delegations - I noticed
it as the queries on the lames loaded our dns caches!
Steve
On Mon, 8 Sep 2003, Ken Budd wrote:
> DNS.exe is the executable for Microsoft DNS. This is either some
> kind of bug or a function of active directory w/in Windows 2000.
>
> regards,
>
> Ken Budd
> Data Systems Engineer
> 702 Communications
> Moorhead, MN 56560
> phone: 218.284.5702
> Fax: 218.284.5746
>
> - -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf
> Of Christopher J. Wolff
> Sent: Monday, September 08, 2003 3:10 PM
> To: nanog@merit.edu
> Subject: dns.exe virus?
>
>
>
> Greetings,
>
> After tracking down what I believed was an attempted DOS attack, it
> turns out that two Windows 2000 servers, fully updated, were spewing
> out hundreds of port 53 requests. Upon further investigation dns.exe
> was hogging 99% of the CPU.
>
> I haven't found any reference to this at CERT so I thought I would
> drop the occurrence into the nanog funnel to see what comes out. The
> attack started around 8AM MST. Thank you for your consideration.
>
> Regards,
> Christopher J. Wolff, VP CIO
> Broadband Laboratories, Inc.
> http://www.bblabs.com
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.2
>
> iQA/AwUBP1zn/P1D1N+hTR4dEQKKtQCdFf62eWGDU2FvUqkFpedVX2OZigwAoL/g
> i2RL2Zg2yOlfmihA8nlWhgnx
> =0L78
> -----END PGP SIGNATURE-----
>
>
