Snort mailing list archives
RE: DNS server keeps communicating with Darkprofits.net and darkprofits.com
From: "Grime, Richard S" <richard.grime () imperial ac uk>
Date: Tue, 3 Feb 2004 22:40:20 -0000
...and the DarkProfits requests themselves probably come from the DDoS component of one of the MiMail variants, e.g. http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c@mm. html -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Sean Lazar Sent: 03 February 2004 01:47 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] DNS server keeps communicating with Darkprofits.net and darkprofits.com In general your DNS servers should not serve domains other than those they are authoritative for. If you are using Bind (eight and above?) you can use the allow recursion option to limit recursion to friendly ip addresses. For example: acl our-nets { XXX.XXX.XXX.0/24; }; options { allow-recursion { our-nets; }; } Upgrading the latest BIND version is strongly recommended. bind reference manual: http://www.nominum.com/content/documents/bind9arm.pdf Marlon.Richards () Windalco com wrote:
Hi guys. I know this is the SNORT mailing list but i am just wondering if i could get some help here. I found that my DNS server is being asked to make numerous resolutions of darkprofits.com and darkrpofits.net. None of my internal clients are making these requests.
My Sniffer shows me that the requests are being made from outside my network and that my DNS server is making a request for this domain to external hosts. Does anyone know where this may be coming from and how to stop it?
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS server keeps communicating with Darkprofits.net and darkprofits.com Marlon . Richards (Feb 02)
- Re: DNS server keeps communicating with Darkprofits.net and darkprofits.com Sean Lazar (Feb 02)
- Re: DNS server keeps communicating with Darkprofits.net and darkprofits.com Ben Nelson (Feb 03)
- <Possible follow-ups>
- RE: DNS server keeps communicating with Darkprofits.net and darkprofits.com Grime, Richard S (Feb 03)