Date: Wed, 31 Jan 2001 00:42:34 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: dlacroix@cowpie.acm.vt.edu (David La Croix) Cc: freebsd-security@FreeBSD.ORG Subject: Re: Bind: unapproved query (version.bind) Script kiddies? Message-ID: <200101310842.AAA17048@gndrsh.dnsmgr.net> In-Reply-To: <200101302245.RAA12443@cowpie.acm.vt.edu> from David La Croix at "Jan 30, 2001 04:45:04 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Given I just saw 208.44.147.11 pile up in my logfiles I can say we have an active script kiddy. He is seaching for broken named's and hitting large areas of ip space (this is just one burst in my logs:) /var/log/security.0.gz:Jan 30 07:45:46 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3120 X.X.X.0:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:46 br1 /kernel: ipfw: 10532 Accept TCP 208.44.147.11:3124 X.X.X.4:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:48 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3501 X.X.X.127:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:48 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3584 X.X.X.159:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:48 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3585 X.X.X.160:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3717 X.X.X.191:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3718 X.X.X.192:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3901 X.X.X.223:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3902 X.X.X.224:53 in via ng0 > I just noticed the following in my logfiles: (/var/log/messages) > > it was running Bind 8.2.2- > > Jan 26 22:37:43 mildred named[41908]: unapproved query from [208.44.147.11].1584 > for "version.bind" > [repeat 23 more times from the same IP] > > Jan 27 01:44:42 mildred named[41908]: unapproved query from [208.139.163.15].273 > 4 for "version.bind" > [repeat 32 more times from the same IP] > > Could this be script kiddie activity? This was before I upgraded to 8.2.3, > and before the CERT alert came out. > > What I don't get is why the unapproved query repeated so many times, within > (according to the timestamp) 3 seconds on both occasions. > > I will note: this activity goes back through about November of 2000, seemingly from different IP addresses. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101310842.AAA17048>