2

I've noticed today that some of our companies clients' DNS servers were changed to 203.115.81.38 and 203.115.71.66 even thought they were still using DHCP. I wonder if this is some sort of an attack/malware etc. I have not been able to trace it down to anything yet but I thought sharing the addresses would help if this is a part of a wider problem. I'm virus/malware scans on some of the computers and will update if I find anything useful.

Note: The DNS changes back to normal after a "ipconfig /renew"

Note 2: "Rogue Killer" found the source as "PUM.DNS". Looking to see how to remove it in mass scale.

user2629636
  • 752
  • 5
  • 19
  • 38
  • Update: whatever ccaused this has changed the registry setting "DHCPNameServer" under HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters – user2629636 May 21 '15 at 18:57
  • 1
    Those IP addresses are open resolvers in IP space owned by Pacenet India, so unless you can come up with a "good" explanation for why that change occurred I would be inclined to say this is something akin to [DNSChanger](https://en.wikipedia.org/wiki/DNSChanger). – Andrew B May 21 '15 at 18:59
  • Agreed about DNSChanger, I need to find out how it got to us. – user2629636 May 21 '15 at 19:09
  • 1
    That's not really answerable, and the best advice I can give you is to review the DNSChanger symptoms and expect similar until a CERT advisory or somesuch is published. A rogue DHCP server is possible (ala DNSChanger), but the initial vector into your network is anyone's guess and there are countless possibilities. – Andrew B May 21 '15 at 19:16
  • Yes, not really answerable but it's a good internet-citizenship to report such occurrences as quick as possible. Not only here of course. If you're annoyed by it, please give me 2 days , I'll be happy to remove it. Unlike many people, I can't just ignore and wait for somebody else to solve it for me. – user2629636 May 21 '15 at 19:30
  • Not annoyed, and I think the question serves your intended purpose even if it gets flagged as a duplicate. People will contribute comments where possible. – Andrew B May 21 '15 at 19:35
  • 1
    Also bear in mind that the exploit your company has been exposed to, might be uniquely created for your company. Your windows group policy service should be able to control/revert th registry entry, but you still need to figure out what the attack vector is. Could be email, webpage advert, some 0-day somewhere, rogue DHCP service, etc... – DutchUncle May 21 '15 at 20:04

0 Answers0