Security Incidents mailing list archives
Re: ?
From: bsides () TOWERY COM (Brock Sides)
Date: Mon, 24 Jan 2000 21:18:32 -0600
It means that someone tried to do zone transfer (i.e. get a list of all names and IPs associated with a domain, which you can do with "ls example.com" in nslookup) and your name server refused to comply, because of an allow-transfer directive in your named.conf file: options { directory "/var/named"; allow-transfer { 208.16.202/24; }; }; This directive limits hosts that can do a zone transfer to the local network. Either someone at 210.179.238.50 was snooping around, or there's a name server on 210.179.238.50 that thinks it's supposed to be a slave for "here.my.domain", and it's pointed to your machine as master. Unless you've made arrangements to have a slave nameserver in Korea, I'd say someone's snooping around. I had a similar attempted transfer yesterday from 210.218.252.150, also in Korea. There both hosts running Linux and vulnerable ftp daemons: my guess is they've been compromised. (Not necessarily via ftpd; but if you see a vulnerable ftp daemon running on a host, it's a good sign that security is lax.) -- Brock Sides Unix Systems Administration Towery Publishing bsides () towery com On Mon, 24 Jan 2000, C. wrote:
What is this? This is from my logs: Jan 22 16:48:53 main named[102]: unapproved AXFR from [210.179.238.50].4721 for "here.my.domain" (acl) any idea?
Current thread:
- Socks port 1080, (continued)
- Socks port 1080 Heman Leopando (Jan 20)
- Re: Socks port 1080 Russell Fulton (Jan 20)
- I was scaned C. (Jan 20)
- Re: I was scaned Robert Graham (Jan 22)
- Re: I was scaned Jose Nazario (Jan 23)
- Re: I was scaned Gene Harris (Jan 23)
- Re: I was scaned Keith Owens (Jan 24)
- Got scaned again C. (Jan 24)
- ? C. (Jan 24)
- Re: ? Mike Tancsa (Jan 24)
- Re: ? Brock Sides (Jan 24)
- Re: unapproved AXFR Russell Fulton (Jan 24)
- No Idea CN (Jan 25)
- PC Anywhere client seems to probe class C of connected networks Troy Ablan (Jan 25)
- Re: PC Anywhere client seems to probe class C of connected networks Steve Ellermann (Jan 26)
- Re: PC Anywhere client seems to probe class C of connected networks Paul L Schmehl (Jan 26)
- Re: PC Anywhere client seems to probe class C of connected networks Jose Nazario (Jan 26)
- Anti-Death Penalty Robert Graham (Jan 26)
- Re: Anti-Death Penalty Derek Moeller (Jan 28)
- Re: Anti-Death Penalty Robert Graham (Jan 28)
- BOGUS.IvCD File Jonathan A. Zdziarski (Jan 26)