Security Incidents mailing list archives
OpenNIC "attack?"
From: Brett Glass <brett () lariat org>
Date: Wed, 22 Oct 2003 19:53:06 -0600
Lately, a number of our users have been getting messages in their server logs that look like this:
Oct 5 23:42:47 www named[153]: check_hints: no A records for ns11.opennic.glue class 1 in hints Oct 5 23:42:47 www named[153]: check_hints: no A records for ns0.opennic.glue class 1 in hints Oct 5 23:42:47 www named[153]: check_hints: no A records for ns1.opennic.glue class 1 in hints Oct 5 23:42:47 www named[153]: check_hints: no A records for ns2.opennic.glue class 1 in hints Oct 5 23:42:47 www named[153]: check_hints: no A records for ns3.opennic.glue class 1 in hints Oct 5 23:42:47 www named[153]: check_hints: no A records for ns4.opennic.glue class 1 in hints Oct 5 23:42:47 www named[153]: check_hints: no A records for ns6.opennic.glue class 1 in hints Oct 5 23:42:47 www named[153]: check_hints: no A records for ns7.opennic.glue class 1 in hints Oct 5 23:42:47 www named[153]: check_hints: no A records for ns8.opennic.glue class 1 in hints Oct 5 23:42:47 www named[153]: check_hints: no A records for ns10.opennic.glue class 1 in hints
More recently, one of them reported that the /var partition on his server had overflowed because of a flood of log messages of this type, preventing him from receiving e-mail until he manually deleted some logs.
Research has revealed that a nasty bit of spyware called "New.Net" has been modifying Windows systems to go to OpenNIC for DNS. Could this be what's causing these error messages? If so, what's the best way to deal with the problem? We'd rather not have all the junk in the logs. We would like (if possible) just to block the bogus requests automatically and get a single message warning us that someone's infected.
--Brett Glass --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- OpenNIC "attack?" Brett Glass (Oct 24)