Security Incidents mailing list archives
Re: Microsoft version.binding us now?
From: ofriedrichs () SECURITYFOCUS COM (Oliver Friedrichs)
Date: Fri, 23 Jun 2000 14:37:32 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also note that commercial security scanners like CyberCop Scanner and ISS have pulled version.bind information for years now. I'd still suspect that in Microsoft's case, it is infact their load balancing solution, which the vendor indeed verified. Oliver
-----Original Message----- From: Richard Bejtlich [mailto:bejtlich () ALTAVISTA NET] Sent: Thursday, June 22, 2000 4:13 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Microsoft version.binding us now? Hi everyone, Do you remember the post below? Take a look, and then consider this, posted to packetstorm.securify.com yesterday: porkbind-1.1.tar.gz is a robust and recursive DNS server vulnerability scanner which retrieves version.bind information for the nameservers and produces a report. Homepage: http://zsh.interniq.org Interesting! Richard Bejtlich -- I've seen the following scan on some servers I admin for the last few days from not only 207.46.106.84 but also a couple other systems in that /24 address space. So far I've seen the version.bind hits about 50 times. The really wierd thing is: we have two connections to the 'net our dns servers are split across the connections it's not a browser on the internal side triggering it as they're round robined via squid out the two connections ALL the attempts are to the same server. May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.126 security: notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND" May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.127 security: notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND" May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.128 security: notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND" May 25 13:54:07 myhost named[1319]: 25-May-2000 13:54:07.132 security: notice: unapproved query from [207.46.106.84].2623 for "VERSION.BIND" $ nslookup 207.46.106.84 Server: xxx.danger.ms Address: xxx.xxx.xxx.254 Name: sjwu3dns1.windowsupdate.com Address: 207.46.106.84 $ nslookup sjwu3dns1.windowsupdate.com Server: xxx.danger.ms Address: xxx.xxx.xxx.254 Name: sjwu3dns1.windowsupdate.com Address: 207.46.106.84 Note: I haven't yet contacted Microsoft...you heard it here first ;) --Bill <A HREF="mailto:--billm () danger ms">--billm () danger ms</A> <-- hmmmm
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOVPWKsm4FXxxREdXEQI5UACgx8LYqFVARCaqnLFNNIekB0j0KKsAnR/1 gAGSRG+xOaswIXaNiONOudwu =/+v1 -----END PGP SIGNATURE-----
Current thread:
- Protocol 54, (continued)
- Protocol 54 M J (Jun 07)
- Re: very strange scan patterns Ejovi Nuwere (Jun 07)
- hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
- Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
- UDP Port 2078 Dundo (Jun 08)
- New KAK worm distribution out Roy Wilson (Jun 08)
- Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
- port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)
- Re: Microsoft version.binding us now? Tom Kee (Jun 03)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 22)
- Re: Microsoft version.binding us now? Oliver Friedrichs (Jun 23)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
- Re: Microsoft version.binding us now? John Hall (Jun 27)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
- Re: Microsoft version.binding us now? Rune Kristian Viken (Jun 28)