Security Incidents mailing list archives
Re: Microsoft version.binding us now?
From: jessen () NIC BR (Klaus Steding-Jessen)
Date: Tue, 30 May 2000 12:18:14 -0300
on Friday, 26 May 2000 19:11:36, Bill Marquette wrote: | I've seen the following scan on some servers I admin for the last few days | from not only 207.46.106.84 but also a couple other systems in that /24 | address space. So far I've seen the version.bind hits about 50 times. The | really wierd thing is: | | we have two connections to the 'net | our dns servers are split across the connections | it's not a browser on the internal side triggering it as they're round | robined via squid out the two connections | ALL the attempts are to the same server. | | May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.126 security: | notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND" | May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.127 security: | notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND" | May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.128 security: | notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND" | May 25 13:54:07 myhost named[1319]: 25-May-2000 13:54:07.132 security: | notice: unapproved query from [207.46.106.84].2623 for "VERSION.BIND" Same thing here, from 207.46.106.75, 207.46.106.77 and 207.46.106.84: May 25 16:16:27 foo named[39069]: unapproved query from [207.46.106.75].45294 for "VERSION.BIND" May 25 16:43:40 foo named[39069]: unapproved query from [207.46.106.77].50702 for "VERSION.BIND" May 25 17:37:08 foo named[39069]: unapproved query from [207.46.106.84].49823 for "VERSION.BIND" May 25 17:38:30 foo named[39069]: unapproved query from [207.46.106.84].51197 for "VERSION.BIND" May 25 17:41:30 foo named[39069]: unapproved query from [207.46.106.84].54255 for "VERSION.BIND" May 25 18:29:57 foo named[39069]: unapproved query from [207.46.106.84].44706 for "VERSION.BIND" The reply from infosec () microsoft com:
From: ITG Information Security Center <infosec () microsoft com> Sender: Greg Galford <ggalford () microsoft com> Subject: FW: SECURITY: Hacking activity from your domain Date: Fri, 26 May 2000 07:31:42 -0700 X-Mailer: Internet Mail Service (5.5.2651.58) Hi, these packets you are seeing are not probes, but are coming from an F5 networks product, 3dns (see: http://www.f5.com/3dns/index.html).
[snip] Hard to believe that 3dns is using version.bind probes to collect RTT information. Can anyone confirm this? Klaus.
Current thread:
- Re: Microsoft version.binding us now? Fernando Cardoso (May 30)
- <Possible follow-ups>
- Re: Microsoft version.binding us now? Klaus Steding-Jessen (May 30)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Thijs Eilander (May 30)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 02)
- Scan of the Week continued Lance Spitzner (Jun 03)
- very strange scan patterns Joe H (Jun 05)
- Re: very strange scan patterns John Kristoff (Jun 05)
- Sub-7 Khan, Mansoor (Jun 05)
- Re: Sub-7 James Stevenson (Jun 08)
- Re: Sub-7 Matthew F. Caldwell (Jun 08)