Re: Microsoft version.binding us now?

[bejtlich () ALTAVISTA NET (Richard Bejtlich)]

Hi everyone,

Do you remember the post below?  Take a look, and then 
consider this, posted to packetstorm.securify.com yesterday:

porkbind-1.1.tar.gz is a robust and recursive DNS server 
vulnerability scanner which retrieves version.bind 
information for the nameservers and produces a report. 
Homepage: http://zsh.interniq.org

Interesting!

Richard Bejtlich

--

I've seen the following scan on some servers I admin for 
the last few days
from not only 207.46.106.84 but also a couple other systems 
in that /24
address space.  So far I've seen the version.bind hits 
about 50 times.  The
really wierd thing is:

we have two connections to the 'net
our dns servers are split across the connections
it's not a browser on the internal side triggering it as 
they're round
robined via squid out the two connections
ALL the attempts are to the same server.

May 25 13:31:58 myhost named[1319]: 25-May-2000 
13:31:58.126 security:
notice: unapproved query from [207.46.106.84].42900 
for "VERSION.BIND"
May 25 13:31:58 myhost named[1319]: 25-May-2000 
13:31:58.127 security:
notice: unapproved query from [207.46.106.84].42900 
for "VERSION.BIND"
May 25 13:31:58 myhost named[1319]: 25-May-2000 
13:31:58.128 security:
notice: unapproved query from [207.46.106.84].42900 
for "VERSION.BIND"
May 25 13:54:07 myhost named[1319]: 25-May-2000 
13:54:07.132 security:
notice: unapproved query from [207.46.106.84].2623 
for "VERSION.BIND"

$ nslookup 207.46.106.84
Server:  xxx.danger.ms
Address:  xxx.xxx.xxx.254

Name:    sjwu3dns1.windowsupdate.com
Address:  207.46.106.84
$ nslookup sjwu3dns1.windowsupdate.com
Server:  xxx.danger.ms
Address:  xxx.xxx.xxx.254

Name:    sjwu3dns1.windowsupdate.com
Address:  207.46.106.84

Note:  I haven't yet contacted Microsoft...you heard it 
here first ;)

--Bill
<A HREF="mailto:--billm () danger ms">--billm () danger ms</A> <--
 hmmmm