[funsec] Rogue DNS Servers

Jeff Kell jeff-kell at utc.edu
Wed Mar 28 22:52:08 CDT 2007


Fergie wrote:
> Researchers of Trend Micro have identified a network of more than 115 rogue
> DNS servers that are used by a certain variant of TROJ_DNSCHANG. These DNS
> servers exhibit interesting behavior. 

I get timeouts trying to reference the URL, so I can't get the 
details... but...

If you're talking about the Inhoster hooks, this has been going on for 
months.  DNS clients are hijacked to point to various servers in 
85.255.112.0/20.

Recently (last 48 hours) I've seen enduser queries out of our block 
(excluding our internal recursive servers) directed toward...

>  < Dst IP address >  	 < Total # > 
>   85.255.112.116   	1420
>   85.255.112.183   	3
>   85.255.116.53   	1940
>   85.255.116.168   	3
>

I don't see any other "out of the ordinary" outbound DNS, at least not 
clustered
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxbox.org/pipermail/funsec/attachments/20070328/6e97b0eb/attachment.htm


More information about the funsec mailing list