To: Sent: Wednesday, Octob..."/>

Servers on ev1 attempting DNS poisoning.

This is a message sent to ntbugtraq, you guys may find it interesting

----- Original Message -----
From: "Shannon" <bip0dbrm001@*********>
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Wednesday, October 01, 2003 12:07 AM
Subject: Something changing DNS server settings


We're having a strange thing in our domain. Various Windows 2000
professional workstations are changing the DNS servers they are configured
to use. So far observed are spontantiously changing to 216.127.92.38 and
69.51.146.14. (Neither IP correctly reverse looks up, but both are hosted
on "ev1.net") Due to our network topology, this breaks things pretty
quickly as these servers cannot resolve our internal DNS. The former
address is still responding as a DNS server, but the second is not as far as
I can tell.)

Resetting the computer to autodetect the DNS server (use DHCP) restores the
computer to normal funcitonality.

However, I strongly suspect a worm, virus or some kind of delibrate targeted
attack. (Latest NAV defs are unable to detect anything on an affected
machines as yet.) When I looked in the registry of one of the affected
computers, I found this:

(as a trimmed exported registry file)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
"T2"=dword:3e057410
"LeaseTerminatesTime"=dword:3e067130
"LeaseObtainedTime"=dword:3dfe8830
"T1"=dword:3e027cb0
"NameServer"="69.57.146.14"

You'll notice that "windows" with "r0x" = "your s0x" which is pretty clear
evidence of some kind of ne'er do well. I'm not sure if it's a local worm
or something taking advantage of remote registry services or something, but
it's not good. And the NameServer is supposed to be blank indicating
automatic DHCP configuration.

(Changing the local machine's config in the network control panel appears to
reset the entire hklm\system\ccs\services\parameters\intefaces key, removing
this "r0x" entry.)

Anyone aware of anything that has this kind of behaviour? And what do I do
to fix it? And what else has this thing done? So far, it has happened on
four machines in our office.

I'll forward more information if I find any.

Thanks in advance,

Shannon McCracken
(if this email doesn't work, smccracken-at-tonkin-dot-co-dot-nz, but this
address should work fine.)

 

 

 

 

Top