Security Incidents mailing list archives

Re: Microsoft version.binding us now?

From: bejtlich () ALTAVISTA NET (Richard Bejtlich)
Date: Sat, 3 Jun 2000 01:08:43 -0000


Hello,

Great work tracking this 3DNS signature!  When I looked at 
3DNS' F5 signatures last year, I found them using null 64 
byte SYN packets to local name servers to try to test 
latency.  Actual polls for BIND versions is very 
interesting -- are the incoming packets TCP?  The vendor 
said "It looks like an aborted zone transfer
normally, or a dns look-up that went wrong"; that sounds 
like TCP to me.  Also, are your machines responding?

Richard Bejtlich

--

Same here, every +/- 4 minutes they poll for our 
VERSION.BIND. I resolved
one of the ipnumbers to something.windowsupdate.com and I 
contacted the
technical contacts.

Current thread:

Re: Microsoft version.binding us now? Fernando Cardoso (May 30)
- <Possible follow-ups>
- Re: Microsoft version.binding us now? Klaus Steding-Jessen (May 30)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Thijs Eilander (May 30)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
  - Re: Microsoft version.binding us now? Richard Bejtlich (Jun 02)
  - Scan of the Week continued Lance Spitzner (Jun 03)
  - very strange scan patterns Joe H (Jun 05)
    - Re: very strange scan patterns John Kristoff (Jun 05)
    - Sub-7 Khan, Mansoor (Jun 05)
    - Re: Sub-7 James Stevenson (Jun 08)
    - Re: Sub-7 Matthew F. Caldwell (Jun 08)
    - Re: Sub-7 nine (Jun 08)
    - Strange scans - inquisitive question Paul Rogers (Jun 09)
    - Re: Strange scans - inquisitive question Valdis Kletnieks (Jun 11)
    - What is this guy doing? Josh Burroughs (Jun 05)

(Thread continues...)