[funsec] Rogue DNS Servers

Jeff Kell jeff-kell at utc.edu
Wed Mar 28 22:52:08 CDT 2007

Fergie wrote:
> Researchers of Trend Micro have identified a network of more than 115 rogue
> DNS servers that are used by a certain variant of TROJ_DNSCHANG. These DNS
> servers exhibit interesting behavior. 

I get timeouts trying to reference the URL, so I can't get the 
details... but...

If you're talking about the Inhoster hooks, this has been going on for 
months.  DNS clients are hijacked to point to various servers in

Recently (last 48 hours) I've seen enduser queries out of our block 
(excluding our internal recursive servers) directed toward...

>  < Dst IP address >  	 < Total # > 
>   	1420
>   	3
>   	1940
>   	3

I don't see any other "out of the ordinary" outbound DNS, at least not 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxbox.org/pipermail/funsec/attachments/20070328/6e97b0eb/attachment.htm

More information about the funsec mailing list