From owner-freebsd-security Mon Jul 13 01:31:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA29096 for freebsd-security-outgoing; Mon, 13 Jul 1998 01:31:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from oxmail.ox.ac.uk (oxmail1.ox.ac.uk [129.67.1.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA29088 for ; Mon, 13 Jul 1998 01:31:00 -0700 (PDT) (envelope-from neil.long@oucs.ox.ac.uk) Received: from ratbert.oucs.ox.ac.uk ([163.1.32.71]) by oxmail.ox.ac.uk with esmtp (Exim 1.90 #1) id 0yve0S-00065Q-00; Mon, 13 Jul 1998 09:30:44 +0100 Received: from neil by ratbert.oucs.ox.ac.uk with local (Exim 1.92 #1) id 0yve0N-0001Vj-00; Mon, 13 Jul 1998 09:30:39 +0100 From: "Neil Long" Message-Id: <980713093039.ZM5809@ratbert.oucs.ox.ac.uk> Date: Mon, 13 Jul 1998 09:30:39 +0100 In-Reply-To: Hallam Oaks P/L list account "DNS zone xfers from random(?) sites" (Jul 10, 9:59pm) References: <199807101158.VAA15030@mail.aussie.org> X-Mailer: Z-Mail (5.0.0 30July97) To: Hallam Oaks P/L list account , "freebsd-security@FreeBSD.ORG" Subject: Re: DNS zone xfers from random(?) sites MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- I would be willing to bet a beer that this is a direct consequence of the release of 'mscan' - check out www.rootshell.com or just about any exploit site. This nifty little tool is a pain in the ... and can be set to scan all hosts by country, etc - so the transfers are probably arisng when they scan .au and it goes and gets all the hosts by zone transfers (or other means). The tool will then scan for most of the current known holes by OS (determined primarily by the telnet banner content - hint!), we see lots of them. Attempts to use the results of the probes (it does not attack the weaknesses found) may then come from the same host doing the scan or some other one. I am a little surprised that CERT/CC haven't released a bulletin on this yet. Best advice I can offer is to get it and use it on your own domain to see what is 'on offer' and then change the default telnetd banner login which limits the impact of this particular tool - there are of course lots of other ways of getting the host OS on defualt setups. Regards Neil ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Dr Neil J Long, Computing Services, University of Oxford * Banbury Road, Oxford, OX2 6NN, UK * Tel: +44 1865 273232 Fax: +44 1865 273275 * EMail: Neil.Long@computing-services.oxford.ac.uk -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNanFpqNsRd57vOpJAQF82gQA5QAJuwyjwQSPOtk2aj5bahCZDvC6YnOF JIYB5B3xh4TuWFs86hc/HHtUP4N7Ly6Swt3T2jr0M+dKgb43uiH1a8seuw38CSTI Jeuv2219Ij/jVb+mx3eSyv9uadmum1sqg4NkoYUBonOiVwFxlyh/Xya+GniyXaeq nB2GGZM+H+8= =ANcz -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message