North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: dns.exe virus?

  • From: Stephen J. Wilcox
  • Date: Mon Sep 08 16:58:21 2003

I have seen MS DNS go into some kind of resolving loop madness where for some 
reason it continually tries lookups.. in the cases when I've seen it, it has 
been a customer server which seemed to loop on some lame delegations - I noticed 
it as the queries on the lames loaded our dns caches!

Steve

On Mon, 8 Sep 2003, Ken Budd wrote:

> DNS.exe is the executable for Microsoft DNS.  This is either some
> kind of bug or a function of active directory w/in Windows 2000.
> 
> regards,
> 
> Ken Budd
> Data Systems Engineer
> 702 Communications
> Moorhead, MN 56560
> phone:  218.284.5702
> Fax:    218.284.5746 
> 
> - -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of Christopher J. Wolff
> Sent: Monday, September 08, 2003 3:10 PM
> To: [email protected]
> Subject: dns.exe virus?
> 
> 
> 
> Greetings,
> 
> After tracking down what I believed was an attempted DOS attack, it
> turns out that two Windows 2000 servers, fully updated, were spewing
> out hundreds of port 53 requests.  Upon further investigation dns.exe
> was hogging 99% of the CPU.  
> 
> I haven't found any reference to this at CERT so I thought I would
> drop the occurrence into the nanog funnel to see what comes out.  The
> attack started around 8AM MST.  Thank you for your consideration.
> 
> Regards,
> Christopher J. Wolff, VP CIO
> Broadband Laboratories, Inc.
> http://www.bblabs.com 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.2
> 
> iQA/AwUBP1zn/P1D1N+hTR4dEQKKtQCdFf62eWGDU2FvUqkFpedVX2OZigwAoL/g
> i2RL2Zg2yOlfmihA8nlWhgnx
> =0L78
> -----END PGP SIGNATURE-----
> 
>