Security Incidents mailing list archives

Re: Microsoft version.binding us now?

From: ofriedrichs () SECURITYFOCUS COM (Oliver Friedrichs)
Date: Fri, 23 Jun 2000 14:37:32 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also note that commercial security scanners like CyberCop Scanner and
ISS have pulled version.bind information for years now.  I'd still
suspect that in Microsoft's case, it is infact their load balancing
solution, which the vendor indeed verified.

Oliver

-----Original Message-----
From: Richard Bejtlich [mailto:bejtlich () ALTAVISTA NET]
Sent: Thursday, June 22, 2000 4:13 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Microsoft version.binding us now?

Hi everyone,

Do you remember the post below?  Take a look, and then
consider this, posted to packetstorm.securify.com yesterday:

porkbind-1.1.tar.gz is a robust and recursive DNS server
vulnerability scanner which retrieves version.bind
information for the nameservers and produces a report.
Homepage: http://zsh.interniq.org

Interesting!

Richard Bejtlich

--

I've seen the following scan on some servers I admin for
the last few days
from not only 207.46.106.84 but also a couple other systems
in that /24
address space.  So far I've seen the version.bind hits
about 50 times.  The
really wierd thing is:

we have two connections to the 'net
our dns servers are split across the connections
it's not a browser on the internal side triggering it as
they're round
robined via squid out the two connections
ALL the attempts are to the same server.

May 25 13:31:58 myhost named[1319]: 25-May-2000
13:31:58.126 security:
notice: unapproved query from [207.46.106.84].42900
for "VERSION.BIND"
May 25 13:31:58 myhost named[1319]: 25-May-2000
13:31:58.127 security:
notice: unapproved query from [207.46.106.84].42900
for "VERSION.BIND"
May 25 13:31:58 myhost named[1319]: 25-May-2000
13:31:58.128 security:
notice: unapproved query from [207.46.106.84].42900
for "VERSION.BIND"
May 25 13:54:07 myhost named[1319]: 25-May-2000
13:54:07.132 security:
notice: unapproved query from [207.46.106.84].2623
for "VERSION.BIND"

$ nslookup 207.46.106.84
Server:  xxx.danger.ms
Address:  xxx.xxx.xxx.254

Name:    sjwu3dns1.windowsupdate.com
Address:  207.46.106.84
$ nslookup sjwu3dns1.windowsupdate.com
Server:  xxx.danger.ms
Address:  xxx.xxx.xxx.254

Name:    sjwu3dns1.windowsupdate.com
Address:  207.46.106.84

Note:  I haven't yet contacted Microsoft...you heard it
here first ;)

--Bill
<A HREF="mailto:--billm () danger ms">--billm () danger ms</A> <--
 hmmmm


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOVPWKsm4FXxxREdXEQI5UACgx8LYqFVARCaqnLFNNIekB0j0KKsAnR/1
gAGSRG+xOaswIXaNiONOudwu
=/+v1
-----END PGP SIGNATURE-----

Current thread:

Protocol 54, (continued)
- - - Protocol 54 M J (Jun 07)
    - Re: very strange scan patterns Ejovi Nuwere (Jun 07)
    - hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
    - Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
    - UDP Port 2078 Dundo (Jun 08)
    - New KAK worm distribution out Roy Wilson (Jun 08)
    - Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
  - port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)
- Re: Microsoft version.binding us now? Tom Kee (Jun 03)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 22)
- Re: Microsoft version.binding us now? Oliver Friedrichs (Jun 23)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
    - Re: Microsoft version.binding us now? John Hall (Jun 27)
- Re: Microsoft version.binding us now? Rune Kristian Viken (Jun 28)