North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: dns.exe virus?
Chris, It was really odd. Here is an example of what the two hosts .3 and .4 were up to. 10.11.0.4:1420 64.215.170.28:53 64.215.170.28:53 10.11.0.3:4554 216.74.14.155:53 216.74.14.155:53 10.11.0.3:4554 216.239.38.10:53 216.239.38.10:53 10.11.0.3:4554 166.90.208.166:53 166.90.208.166:53 10.11.0.4:1420 192.35.51.30:53 192.35.51.30:53 10.11.0.4:1420 192.55.83.30:53 192.55.83.30:53 10.11.0.3:4554 64.24.79.2:53 64.24.79.2:53 10.11.0.3:4554 64.24.79.3:53 64.24.79.3:53 10.11.0.3:4554 64.24.79.5:53 64.24.79.5:53 10.11.0.3:4554 192.48.79.30:53 192.48.79.30:53 10.11.0.3:4554 205.166.226.38:53 205.166.226.38:53 10.11.0.3:4554 63.240.15.245:53 63.240.15.245:53 10.11.0.4:1420 192.36.148.17:53 192.36.148.17:53 10.11.0.4:1420 192.26.92.30:53 192.26.92.30:53 10.11.0.4:1420 192.43.172.30:53 192.43.172.30:53 10.11.0.3:4554 192.31.80.30:53 192.31.80.30:53 10.11.0.3:4554 213.161.66.159:53 213.161.66.159:53 10.11.0.4:1420 65.102.83.43:53 65.102.83.43:53 10.11.0.3:4554 216.239.32.10:53 216.239.32.10:53 10.11.0.3:4554 24.221.129.4:53 24.221.129.4:53 10.11.0.3:4554 24.221.129.5:53 24.221.129.5:53 10.11.0.4:1420 192.5.6.30:53 192.5.6.30:53 10.11.0.3:4554 128.121.26.10:53 128.121.26.10:53 10.11.0.3:4554 64.215.170.28:53 64.215.170.28:53 10.11.0.3:4554 65.102.83.43:53 65.102.83.43:53 10.11.0.4:1420 24.221.129.4:53 24.221.129.4:53 10.11.0.4:1420 24.221.129.5:53 24.221.129.5:53 10.11.0.3:4554 63.210.142.26:53 63.210.142.26:53 10.11.0.4:1420 192.41.162.30:53 192.41.162.30:53 10.11.0.4:1420 192.52.178.30:53 192.52.178.30:53 10.11.0.3:4554 192.5.6.30:53 192.5.6.30:53 10.11.0.3:4554 63.215.198.78:53 63.215.198.78:53 10.11.0.4:1420 64.215.170.28:53 64.215.170.28:53 10.11.0.3:4554 216.239.38.10:53 216.239.38.10:53 10.11.0.4:1420 192.55.83.30:53 192.55.83.30:53 10.11.0.3:4554 64.24.79.3:53 64.24.79.3:53 10.11.0.3:4554 205.166.226.38:53 205.166.226.38:53 10.11.0.4:1420 192.43.172.30:53 192.43.172.30:53 10.11.0.3:4554 63.240.144.98:53 63.240.144.98:53 Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Chris Lewis Sent: Monday, September 08, 2003 1:52 PM Cc: [email protected] Subject: Re: dns.exe virus? Christopher J. Wolff wrote: > After tracking down what I believed was an attempted DOS attack, it > turns out that two Windows 2000 servers, fully updated, were spewing out > hundreds of port 53 requests. Upon further investigation dns.exe was > hogging 99% of the CPU. > I haven't found any reference to this at CERT so I thought I would drop > the occurrence into the nanog funnel to see what comes out. The attack > started around 8AM MST. Thank you for your consideration. I wonder if this is the tool used to attack Spamhaus, SPEWS and SORBS. Do you know what the requests were for?
|