New DNS cache poisoning server
Looks like we got us another DNS server trying to poison DNS caches:
If you run a larger network, we recommend to block all traffic to this host.
A quick check with 'dig' shows that this server advertises itself as authoritative for '.com', and returns the same IP for all queries to .com domains.
For the particular report we have, the original domain that caused a querry against this DNS server was intelliview.com. (Thanks Adrien for figuring this out!!)
Once your cache is poisoned. All requests to .com hosts are redirected either to 184.108.40.206 or 220.127.116.11. You will see a minimal search enigne like page and an advertisement for _http_://www.privacycash.com (DO NOT CLICK),
DNS Poisoning Stats
The DNS spoofing attack on March 3rd redirected affected users to a set of
compromissed web servers. Some of the administrators of these servers agreed
to share logs collected during the attack (THANKS!). Based on these logs, we
collected the following statistics:
o 1,304 domains poisoned (pulled from the referer entries in the HTTPD logs)
o 7,973,953 HTTP get attempts from 966 unique IP addresses.
o 75,529 incoming email messages from 1,863 different mailservers.
o 7,455 failed FTP logins from 635 unique IP addresses (95 unique user accounts).
o 7,692 attempted IMAP logins (805 unique users, 411 unique IP addresses).
o 2,027 attempted logins to 82 different webmail (HTTP) servers.
BlueMounting Greeting Cards
We received multiple reports about "BlueMountain Greeting Cards" being used to spread malware. The links read like they link to the bluemountain.com web site, but in fact they link to other sites not affiliated with bluemountain.com. The email headers are fake and not sent via bluemountain.com.
Sites the e-mails link to (looks down now, but note that these sites may distribute malware. DO NOT CLICK).
(thank to Brian for additional versions of the URL).
Typical content (thanks Chris!):
Windows 2003 SP1 released
was released today. One of the new features is a "Security Configuration Wizard". If you had a chance to use it, let us know how you liked it.
Service Packs usually include all past patches, and a set of new features. You should carefully test service packs before deploying them in a production environment.
Ryan Barnett setup a cgi script on his web server to collect more information from awstats.pl exploit attempts. This is achieved using the following httpd.conf directive:
the 'script' will parse any commands passed to it, and provide plausible but fake responses. Shortly after Ryan's script detected the standard 'awstats.pl' attempt
( /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo|), he detected a followup exploit from the same IP address:
A google search for the string 'DTORS_START' and 'DTORS_STOP' leads to an awstats exploit package on
Nice detect Ryan!
Orlando detected a large increase in port 1025 scans of his network. The scans subsided after a day, but are noteworthy. If you see any temporary increases in TCP SYN scans to port 1025, please try to setup a little netcat honeypot. Our best guess so far is that these scans target an RPC service.
The FrSIRT reports that Windows 9x and ME users report problems with patch MS05-002. After installing this patch, MSIE will no longer start. For details, see this discussion on .
If you do still use a Windows version prior to Windows XP/2000, you should upgrade to a newer version of Windows.
Johannes Ullrich, SANS Institute (jullrich\at/sans.org)I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019
Mar 31st 2005
1 decade ago