Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 13 Jul 1998 12:05:43 +1000
From:      "Hallam Oaks P/L list account" <maillist@oaks.com.au>
To:        "sthaug@nethelp.no" <sthaug@nethelp.no>
Cc:        "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject:   Re: DNS zone xfers from random(?) sites
Message-ID:  <199807130205.MAA22491@mail.aussie.org>
next in thread | raw e-mail | index | archive | help 
>We've seen attacks that were directly correlated to zones files being
>transferred. Fetch one zone file with a lot of delegations (12000 or so),
>and then (a few minutes later) target all the name servers in this zone
>file with pop3/imap/portmap/whatever attacks. Additionally, attempt to

Hmmm ... this is interesting. Just a few days ago I saw this ...

ipfw: 4110 Deny TCP 137.166.79.129:1852 139.130.xx.xxx:79 in via tun0
ipfw: 4110 Deny TCP 137.166.79.129:1852 139.130.xx.xxx:79 in via tun0
ipfw: 4110 Deny TCP 137.166.79.129:1858 139.130.xx.xxx:23 in via tun0
ipfw: 4110 Deny TCP 137.166.79.129:1858 139.130.xx.xxx:23 in via tun0
ipfw: 4110 Deny TCP 137.166.79.129:1865 139.130.xx.xxx:80 in via tun0
ipfw: 4110 Deny TCP 137.166.79.129:1865 139.130.xx.xxx:80 in via tun0
ipfw: 4110 Deny TCP 137.166.79.129:1878 139.130.xx.xxx:143 in via tun0
ipfw: 4110 Deny TCP 137.166.79.129:1878 139.130.xx.xxx:143 in via tun0
ipfw: 4110 Deny TCP 137.166.79.129:1896 139.130.xx.xxx:53 in via tun0
ipfw: 4110 Deny TCP 137.166.79.129:1896 139.130.xx.xxx:53 in via tun0
ipfw: 4110 Deny TCP 137.166.79.129:1904 139.130.xx.xxx:110 in via tun0
ipfw: 4110 Deny TCP 137.166.79.129:1904 139.130.xx.xxx:110 in via tun0

Exactly two of each. The total time between the first and last was no more 
than 40 seconds. Possibly generated by a program of some sort. No person 
outside our site has the authority to access our POP3, IMAP, or TELNET 
services.

Does this pattern of port accesses seem familiar to anyone ?

regards,

-- Chris
   Hallam Oaks P/L






To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807130205.MAA22491>