Security Incidents mailing list archives

Re: DNS update queries: another sort of suspicious activity.

From: fygrave () TIGERTEAM NET (Fyodor)
Date: Fri, 28 Jan 2000 23:20:08 +0300


On Fri, 28 Jan 2000, Patrick Oonk wrote:

~ Fydor,
~
~ this seems to be a 'feature' of Windows 2000.
~ If you had portscanned the offending box you might
~ have seen it was a Win2k box.
~

Wow.. then it must be full of surprises. :) Notice that 192.168.0.4 is a
non-routable IP address, so it could be someone's sick firewall which
allowed the iternal network to send sick UDP datagrams out.

cheers,
 -F

Current thread:

Re: Korea (again), (continued)
- - - Re: Korea (again) Rob Quinn (Jan 28)
    - Re: Korea (again) Granquist, Lamont (Jan 27)
    - Re: Korea (was RE: ?) horio shoichi (Jan 26)
    - Re: Korea (was RE: ?) David Brumley (Jan 27)
    - Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
    - Re: Korea (was RE: ?) Arrigo Triulzi (Jan 28)
    - Re: Korea (was RE: ?) Dug Song (Jan 28)
    - Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
    - DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
    - Recent Scans Edwin Covert (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Rob Quinn (Jan 31)
    - Re: Socks port 1080 Randy Mclean (Jan 21)
    - Re: Socks port 1080 Richard Bejtlich (Jan 21)
    - Unusual Netstat Listing Rob (Jan 22)