Re: DNS update queries: another sort of suspicious activity.

[secure () SECUREAUSTIN COM (H D Moore)]

Hi,

A while back the admins of DynDNS.org posted a message stating that
Win2K machines were automatically trying to update thier DNS records.
Was the machine running Windows 2000?

-HD

"Flynn, Harold M. III" wrote:
> I had a similar incident myself, although this was involving an NT 4.0
> machine, if I remember correctly.
>
> I received mail from an SA out in California with the ip address of one of
> the customers on the network, stating he'd been receiving numerous update
> attempts on one of the domains he was hosting at his site.  After a look
> through the accounting logs, I figured out who it was, and gave him a call.
>
> We got an idea of what was going on from what he was running there at the
> house.  Apparently, he had a domain hosted at the shop out in CA, and was
> pulling down the mail from the domain to his house.  For some reason, the
> machine (obviously misconfigured) was attempting to send domain updates.  By
> looking at logs, everytime he'd connect, he'd send a dns update to his
> hosting service every 2 or 3 minutes.  This would occur for the duration of
> his connection (over dialup).
>
> I thought he might have been trying to make some sort of DynDNS updates as
> well, but never could confirm that, as he fixed the problem, and I left the
> shop shortly thereafter.