Security Incidents mailing list archives
RE: version.bind request
From: "Jeff Calvert" <jcalvert () cyrusone com>
Date: Wed, 30 May 2001 09:41:25 -0500
I have also noticed these named-probe-version alerts. Same pattern of random sources, going to IP's that don't have hosts associated with them.: 05/20-08:18:41.754937 213.42.45.162:3310 -> a.b.c.157:53 05/20-08:41:54.004937 168.77.214.13:3422 -> a.b.c.204:53 05/20-14:45:40.924937 200.41.84.109:4904 -> a.b.c.138:53 05/20-21:23:38.014937 211.13.200.132:3979 -> a.b.c.219:53 05/20-23:34:31.044937 209.196.46.130:2369 -> a.b.c.131:53 05/21-02:18:43.464937 150.214.53.58:3709 -> a.b.c.213:53 05/21-04:43:32.014937 210.208.128.4:4514 -> a.b.c.50:53 05/21-05:02:15.724937 63.34.208.66:1660 -> a.b.c.219:53 05/21-08:14:28.684937 210.162.194.130:4823 -> a.b.c.195:53 05/21-16:04:50.044937 202.86.136.31:3504 -> a.b.c.133:53 05/21-18:45:11.974937 195.76.10.75:4882 -> a.b.c.198:53 05/22-01:31:29.634937 61.218.146.51:4138 -> a.b.c.212:53 05/29-17:49:31.923427 62.137.41.136:2770 -> a.b.c.147:53 05/29-23:25:51.403376 210.11.29.11:4706 -> a.b.c.200:53 05/29-23:26:37.293376 203.73.208.97:2053 -> a.b.c.159:53 Jeff Calvert System Administrator jcalvert () cyrusone com -----Original Message----- From: Portnoy, Gary [mailto:gportnoy () belenosinc com] Sent: Tuesday, May 29, 2001 3:35 PM To: 'intursions () incidents org'; 'incidents () securityfocus com' Subject: version.bind request Greetings. I have Snort configured to alert on version.bind queries and the following is what i've been seeing. In the last week, I've seen about 10 version.bind queries to seemingly random IP's on my subnet. Some of these IP's don't even have hosts associated with them. Checking back in my logs, it doesn't look like the various source IPs performed any recon beforehand, and since version.bind is UDP-based, they can afford to send out the query without first establishing the connection. So, in effect, what i am seeing is almost like a ping sweep for DNS servers. The interesting thing is that i don't see the source IP return, no exploit, and no scan of additional IPs by the same source : 2001-05-28 15:38:42 157.158.66.54 -> a.b.c.52 2001-05-28 23:24:53 211.72.169.14 -> a.b.c.55 2001-05-27 08:42:48 203.146.184.8 -> a.b.c.17 2001-05-27 18:01:54 213.29.194.62 -> a.b.c.4 2001-05-25 01:23:01 213.42.50.224 -> a.b.c.52 2001-05-23 13:32:45 210.99.96.107 -> a.b.c.2 2001-05-22 06:20:34 209.196.46.130 -> a.b.c.5 2001-05-22 16:06:12 62.110.55.180 -> a.b.c.25 2001-05-22 16:16:37 209.245.0.125 -> a.b.c.3 2001-05-13 01:40:56 203.87.131.9 -> a.b.c.25 2001-05-13 05:10:39 195.76.10.128 -> a.b.c.7 Any ideas/ correlations? Gary Portnoy Network Administrator gportnoy () belenosinc com PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
Current thread:
- version.bind request Portnoy, Gary (May 29)
- Re: version.bind request Russell Fulton (May 30)
- <Possible follow-ups>
- RE: version.bind request Jeff Calvert (May 30)