Security Incidents mailing list archives
Re: Large number of BIND probes.
From: core.lists.incidents () CORE-SDI COM (Iván Arce)
Date: Thu, 30 Dec 1999 15:23:25 -0300
Erik Fichtner wrote:
On Wed, Dec 29, 1999 at 10:56:24AM -0600, Craig H. Rowland wrote:Last night I received a very large number of probes to TCP port 53 on one of my DNS servers. I filter out all TCP port 53 traffic to these systems except for secondaries/primaries for zone transfers, but would like to know if anyone has seen a pickup in this activity as well. There were six separate hosts yesterday alone that tried. This is a new record for me. Seems like there may be a new BIND attack going around. :(I only got hit with one set of version.bind probes last night, and only on the primary nameservers listed with the InterNIC, but they were rather persistant at trying to figure out if it was a bind4 or a bind8 with version.bind shut off..
This most likely means that someone out there is trying to find BIND versions vulnerable to the NXT bug (8.2) See http://www.securityfocus.com/vdb/bottom.html?vid=788 and http://www.cert.org/advisories/CA-99-14-bind.html -ivan -- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email: iarce () core-sdi com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central ===================================================================== --- For a personal reply use iarce () core-sdi com
Current thread:
- Re: Large number of BIND probes. Iván Arce (Dec 30)