> .... The hacker is able to do this quick switching because he > has installed DNS name servers for his domains on other > home computers under his control.
See the word "other" at the end of the second line? Presumably, it is only these other machines running the DNS services that can't be changed quickly (for the reasons you suggest). David Gillett > -----Original Message----- > From: James [mailto:[EMAIL PROTECTED] > Sent: July 13, 2003 23:36 > To: [EMAIL PROTECTED] > Subject: RE: New trojan turns home PCs into porno Web site hosts > > > I have a question, since I don't know as much as I'd like to about the > way the internet works... > > You said that the victim'm machine runs a DNS. But wouldnt you have to > wait for other Domain Name Servers to update before the page would be > viewable, like the ISP's DNS and the DNS's pointing to that one and so > on. That takes +/- 24Hrs doesn't it....? > > So how can the page remain viewable if it changes hosts every 10 > minutes..??? > > _James > > > > > On Mon, 2003-07-14 at 20:07, Paul Kurczaba wrote: > > What is the name of the virus? Is it described on mcafee.com or > > symantec.com? > > > > Paul > > > > -----Original Message----- > > From: David Vertie [mailto:[EMAIL PROTECTED] > > Sent: Sunday, July 13, 2003 2:45 AM > > To: [EMAIL PROTECTED]; > [EMAIL PROTECTED] > > Subject: RE: New trojan turns home PCs into porno Web site hosts > > > > > > You are right ge. The scans on ADSL lines and cable lines > are annoying. I > > have ADSL here, and on the first day, I connected my Linux > box to the > > internet and loaded its filtering rules, I was seeing a > huge influx of > > scans > > coming to my box with spoof packets, attempted teardrop > attacks and some > > weird stuff too. > > > > Can't say I saw it coming. Lots of home PCs are connected > to the internet > > get themselves cracked because they aren't very protected, and as a > > result, > > cause a nice percentage of problems on the internet. > > > > About the real issue at hand. Report it to authorities, and > try to find > > the > > ISPs of the home IPs being used and see if they will help > out. That is > > about > > all that I can add to ge's post. > > > > David > > > > > > >From: "ge" <[EMAIL PROTECTED]> > > >To: "'[EMAIL PROTECTED] COM'" <[EMAIL PROTECTED]> > > >Subject: RE: New trojan turns home PCs into porno Web site hosts > > >Date: Fri, 11 Jul 2003 22:05:33 -0700 > > > > > > > Some individual appears to have hijacked more than a 1,000 home > > >computers starting in late June or early July and has been > installing a > > >new trojan horse > > > > program on them. > > > > > >Let us consider ourselves lucky. That is an extremely low number. > > > > > > > To make it more difficult for these web sites to be shut down, a > > >single home computer is used for only 10 minutes to host a > site. After > > >10 minutes, the IP address of the Web site is changed to a > different > > >home > > > > computer. The hacker is able to do this quick > switching because he > > >has installed DNS name servers for his domains on other > home computers > > >under his control. The DNS name servers specify that a hostname > > > > to-IP-address mapping should only live for 10 minutes. > > > > > >As I see it, someone in the states should file a complaint > with the FBI > > >(if one has not already been charged) and they can handle > this guy. If > > >not, the best way, as I see, it is to check where the > Trojan gets the > > >information it uses from, a.k.a. where it connects. Should > give you the > > >right IP for abuse mail. If you get rid of that one IP, > you effectively > > >get rid of the thousand infected machines. > > > > > > > Some of the domain names used by the Web sites of the > trojan are: > > > > > > > > onlycoredomains.com > > > > pizdatohosting.com > > > > bigvolumesites.com > > > > wolrdofpisem.com > > > > arizonasiteslist.com > > > > nomorebullshitsite.com > > > > linkxxxsites.com > > > > > >Here's a place to start with the abuse mails, find out > what ISP hosts > > >them and cross your fingers they won't send your emails to > /dev/null. > > > > > > > It is not known at the present time how the trojan gets > installed on > > >people's computers. My theory is that the Sobig.e virus might be > > >involved, but the evidence is not strong at the moment. > > > > > >The DSL and Cable IP ranges get scanned _even_ more than > the rest of > > >the world. Anybody remembers that paper that stated a > computer would > > >get scanned 36 hours after it establishes a connection to > the Internet? > > >Well, I am on ADSL with my home machine, and surprisingly > enough I got > > >hit the second I switched to ADSL and I get ten to fifteen scans a > > >minute. That said not mentioning being a secondary victims > to kiddies > > >using these IP ranges to spoof attacks (ICMP echo 3). > > > > > > > Richard M. Smith > > > > http://www.ComputerBytesMan.com > > > > > > > > > Gadi (i.e. ge), > > > [EMAIL PROTECTED] > > > > > >-------- > > >[EMAIL PROTECTED] > > >PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID). > > >Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741. > > > > > > > > > > _________________________________________________________________ > > MSN 8 with e-mail virus protection service: 2 months FREE* > > http://join.msn.com/?page=features/virus > > > > > > > -------------------------------------------------------------- > ------------ > > - > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by > top analysts! > > The Gartner Group just put Neoteris in the top of its Magic > Quadrant, > > while InStat has confirmed Neoteris as the leader in marketshare. > > > > Find out why, and see how you can get plug-n-play secure > remote access in > > about an hour, with no client, server changes, or ongoing > maintenance. > > > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > > > -------------------------------------------------------------- > ------------ > > -- > > > > > -------------------------------------------------------------- > ------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by > top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure > remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > -------------------------------------------------------------- > -------------- > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
