Security Incidents mailing list archives
Re: Probes from Microsoft
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Sat, 24 Feb 2001 14:42:10 -0700
On Fri, 23 Feb 2001, Ryan W. Maple wrote:
For the last day or so, we have been getting probes such as this ... Feb 23 19:39:17 ns named[8363]: denied query from [207.68.131.17].7018 for "." Feb 23 19:40:16 ns last message repeated 2 times Feb 23 19:40:16 ns named[8363]: denied query from [207.68.131.17].9210 for "."
It's a global traffic director location probe thing. They want to figue out which server(s) are closest to you. When you or one of your users does a DNS request to them, it will had back an answer that is supposed to be the best performer for you.
Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer (BSDI kernel/x86)
..One brand of that type of product is the Big IP from F5.
... so I probe the ports ... DNS: VERSION.BIND text = "8.2.2-P5"
Now, I probably wouldn't have posted that... Anyone know if F5 just has some sort of regular unix running underneath?
Now I'm not going to call up Microsoft and say "I think you are hacked"
They don't appear to have been, not from this info.
because I don't really feel like going through all the work to find out who to contact, and all that. I have cc:'d secure () microsoft com on this message so hopefully somebody there will investigate.
The only thing to investigate is the BIND version on that box.
Has anybody else been seeing this? I have to admit that I find this kind of funny if this is in fact Microsoft (which all signs point to).
It's been covered here before. Go to our web page, select incidents as the item to search, and put in "f5" as the search term. Ryan
Current thread:
- Probes from Microsoft Ryan W. Maple (Feb 24)
- Re: Probes from Microsoft Ryan Russell (Feb 24)
- Re: Probes from Microsoft kawaii (Feb 24)
- Re: Probes from Microsoft Tim Yocum (Feb 24)
- Re: Probes from Microsoft Jose Nazario (Feb 24)
- Re: Probes from Microsoft Ryan Russell (Feb 24)