Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ?

From: bsides () TOWERY COM (Brock Sides)
Date: Mon, 24 Jan 2000 21:18:32 -0600

It means that someone tried to do zone transfer (i.e. get a list of all
names and IPs associated with a domain, which you can do with "ls
example.com" in nslookup) and your name server refused to comply,
because of an allow-transfer directive in your named.conf file:

options {
        directory "/var/named";
        allow-transfer {
                208.16.202/24;
        };
};

This directive limits hosts that can do a zone transfer to the local
network.

Either someone at 210.179.238.50 was snooping around, or there's a name
server on 210.179.238.50 that thinks it's supposed to be a slave for
"here.my.domain", and it's pointed to your machine as master.

Unless you've made arrangements to have a slave nameserver in Korea, I'd
say someone's snooping around.

I had a similar attempted transfer yesterday from 210.218.252.150, also in
Korea. There both hosts running Linux and vulnerable ftp daemons: my guess
is they've been compromised. (Not necessarily via ftpd; but if you see a
vulnerable ftp daemon running on a host, it's a good sign that security is
lax.)

--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides () towery com

On Mon, 24 Jan 2000, C. wrote:


What is this?
This is from my logs:

Jan 22 16:48:53 main named[102]: unapproved AXFR from
[210.179.238.50].4721 for "here.my.domain" (acl)

any idea?
Previous By Date Next
Previous By Thread Next

Current thread: