Date: Tue, 30 Jan 2001 14:52:00 -0800 From: Jason DiCioccio <Jason.DiCioccio@Epylon.com> To: 'David La Croix' <dlacroix@cowpie.acm.vt.edu>, freebsd-security@freebsd.org Subject: RE: Bind: unapproved query (version.bind) Script kiddies? Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0243C6@goofy.epylon.lan>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C08B0F.41411B10 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C08B0F.41411B10" ------_=_NextPart_001_01C08B0F.41411B10 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would say it definitely is ;) - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: David La Croix [mailto:dlacroix@cowpie.acm.vt.edu] Sent: Tuesday, January 30, 2001 2:45 PM To: freebsd-security@freebsd.org Subject: Bind: unapproved query (version.bind) Script kiddies? I just noticed the following in my logfiles: (/var/log/messages) it was running Bind 8.2.2- Jan 26 22:37:43 mildred named[41908]: unapproved query from [208.44.147.11].1584 for "version.bind" [repeat 23 more times from the same IP] Jan 27 01:44:42 mildred named[41908]: unapproved query from [208.139.163.15].273 4 for "version.bind" [repeat 32 more times from the same IP] Could this be script kiddie activity? This was before I upgraded to 8.2.3, and before the CERT alert came out. What I don't get is why the unapproved query repeated so many times, within (according to the timestamp) 3 seconds on both occasions. I will note: this activity goes back through about November of 2000, seemingly from different IP addresses. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>; iQA/AwUBOndF+lCmU62pemyaEQKsYACfcnTlUi0GdcPNeUKQjUH9xTmuEAIAoN5d E4BOnNGyRLlPVJpAirsY7PbT =1Vpf -----END PGP SIGNATURE----- ------_=_NextPart_001_01C08B0F.41411B10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: Bind: unapproved query (version.bind) Script = kiddies?</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>-----BEGIN PGP SIGNED MESSAGE-----</FONT> <BR><FONT SIZE=3D2>Hash: SHA1</FONT> </P> <P><FONT SIZE=3D2>I would say it definitely is ;)</FONT> </P> <BR> <P><FONT SIZE=3D2>- -------</FONT> <BR><FONT SIZE=3D2>Jason DiCioccio</FONT> <BR><FONT SIZE=3D2>Evil Genius</FONT> <BR><FONT SIZE=3D2>Unix BOFH</FONT> </P> <P><FONT SIZE=3D2><A = HREF=3D"mailto:jasond@epylon.com">mailto:jasond@epylon.com</A></FONT> </P> <P><FONT = SIZE=3D2>415-593-2761 &nb= sp; Direct & Fax</FONT> <BR><FONT = SIZE=3D2>415-593-2900 &nb= sp; Main</FONT> </P> <P><FONT SIZE=3D2>Epylon Corporation</FONT> <BR><FONT SIZE=3D2>645 Harrison Street, Suite 200</FONT> <BR><FONT SIZE=3D2>San Francisco, CA 94107</FONT> <BR><FONT SIZE=3D2>www.epylon.com</FONT> </P> <P><FONT SIZE=3D2>BSD is for people who love Unix -</FONT> <BR><FONT SIZE=3D2>Linux is for people who hate Microsoft</FONT> </P> <BR> <P><FONT SIZE=3D2>- -----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: David La Croix [<A = HREF=3D"mailto:dlacroix@cowpie.acm.vt.edu">mailto:dlacroix@cowpie.acm.vt= .edu</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, January 30, 2001 2:45 PM</FONT> <BR><FONT SIZE=3D2>To: freebsd-security@freebsd.org</FONT> <BR><FONT SIZE=3D2>Subject: Bind: unapproved query (version.bind) = Script kiddies?</FONT> </P> <BR> <P><FONT SIZE=3D2>I just noticed the following in my logfiles: = (/var/log/messages)</FONT> </P> <P><FONT SIZE=3D2>it was running Bind 8.2.2-</FONT> </P> <P><FONT SIZE=3D2>Jan 26 22:37:43 mildred named[41908]: unapproved = query from</FONT> <BR><FONT SIZE=3D2>[208.44.147.11].1584</FONT> <BR><FONT SIZE=3D2> for "version.bind"</FONT> <BR><FONT SIZE=3D2>[repeat 23 more times from the same IP]</FONT> </P> <P><FONT SIZE=3D2>Jan 27 01:44:42 mildred named[41908]: unapproved = query from</FONT> <BR><FONT SIZE=3D2>[208.139.163.15].273</FONT> <BR><FONT SIZE=3D2>4 for "version.bind"</FONT> <BR><FONT SIZE=3D2>[repeat 32 more times from the same IP]</FONT> </P> <P><FONT SIZE=3D2>Could this be script kiddie activity? This was = before I upgraded to</FONT> <BR><FONT SIZE=3D2>8.2.3, </FONT> <BR><FONT SIZE=3D2>and before the CERT alert came out.</FONT> </P> <P><FONT SIZE=3D2>What I don't get is why the unapproved query repeated = so many times,</FONT> <BR><FONT SIZE=3D2>within</FONT> <BR><FONT SIZE=3D2>(according to the timestamp) 3 seconds on both = occasions.</FONT> </P> <P><FONT SIZE=3D2>I will note: this activity goes back through = about November of 2000,</FONT> <BR><FONT SIZE=3D2>seemingly from different IP addresses.</FONT> </P> <BR> <P><FONT SIZE=3D2>To Unsubscribe: send mail to = majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=3D2>with "unsubscribe freebsd-security" in the = body of the message</FONT> </P> <P><FONT SIZE=3D2>-----BEGIN PGP SIGNATURE-----</FONT> <BR><FONT SIZE=3D2>Version: PGPfreeware 6.5.8 for non-commercial use = <<A HREF=3D"http://www.pgp.com" = TARGET=3D"_blank">http://www.pgp.com</A>></FONT>; </P> <P><FONT = SIZE=3D2>iQA/AwUBOndF+lCmU62pemyaEQKsYACfcnTlUi0GdcPNeUKQjUH9xTmuEAIAoN5= d</FONT> <BR><FONT SIZE=3D2>E4BOnNGyRLlPVJpAirsY7PbT</FONT> <BR><FONT SIZE=3D2>=3D1Vpf</FONT> <BR><FONT SIZE=3D2>-----END PGP SIGNATURE-----</FONT> </P> <P><FONT FACE=3D"Arial" SIZE=3D2 COLOR=3D"#000000"></FONT> </BODY> </HTML> ------_=_NextPart_001_01C08B0F.41411B10-- ------_=_NextPart_000_01C08B0F.41411B10 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C08B0F.41411B10-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?657B20E93E93D4118F9700D0B73CE3EA0243C6>