1:27 PM

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis:

Global DNS cache poisoning attack?

We are currently investigating a report from several sites that indicate users being re-directed to malware sites. At this time it appears to be a DNS cache poisoning attack (not a spyware, adware, or browser hijack) and we are seeking more information.

Popular domain names such as google.com, ebay.com, and weather.com are being directed to the following servers. Of course when connecting to these servers, “bad things” (tm) will happen, so don’t go to them.

www.7sir7.com (217.160.169.87)
123xxl.com (217.160.169.87, 207.44.240.79, 216.127.88.131)
abx4.com (217.160.169.87, 207.44.240.79, 216.127.88.131)

If your site has been affected, please submit the following information:
1. When the attack was first noticed and whether it is still occurring.
2. What DNS server software you having facing the Internet. This information will be kept in strictest confidence.
3. If you identified any other sites that users were being re-directed to (besides the ones listed above).

Updates will be made to this diary as we find out more information.