Security Incidents mailing list archives
Re: DNS update queries: another sort of suspicious activity.
From: secure () SECUREAUSTIN COM (H D Moore)
Date: Thu, 10 Feb 2000 10:35:34 -0600
Hi, A while back the admins of DynDNS.org posted a message stating that Win2K machines were automatically trying to update thier DNS records. Was the machine running Windows 2000? -HD "Flynn, Harold M. III" wrote:
I had a similar incident myself, although this was involving an NT 4.0 machine, if I remember correctly. I received mail from an SA out in California with the ip address of one of the customers on the network, stating he'd been receiving numerous update attempts on one of the domains he was hosting at his site. After a look through the accounting logs, I figured out who it was, and gave him a call. We got an idea of what was going on from what he was running there at the house. Apparently, he had a domain hosted at the shop out in CA, and was pulling down the mail from the domain to his house. For some reason, the machine (obviously misconfigured) was attempting to send domain updates. By looking at logs, everytime he'd connect, he'd send a dns update to his hosting service every 2 or 3 minutes. This would occur for the duration of his connection (over dialup). I thought he might have been trying to make some sort of DynDNS updates as well, but never could confirm that, as he fixed the problem, and I left the shop shortly thereafter.
Current thread:
- Re: DNS update queries: another sort of suspicious activity. Flynn, Harold M. III (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. H D Moore (Feb 10)
- <Possible follow-ups>
- Re: DNS update queries: another sort of suspicious activity. Rob Quinn (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. Kevin (Sparty) Broderick (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. Bill Royds (Feb 01)
- Re: DNS update queries: another sort of suspicious activity. Data_surge (Feb 03)