Security Incidents mailing list archives

massive unapproved AXFR's and odd rcvd NOTIFY's

From: paul () XTDNET NL (Paul Wouters)
Date: Wed, 9 Feb 2000 15:50:56 +0100


(All strings "domainname.com" are real domainnames)

I am seeing a LOT of these, even right now:

Feb  9 08:35:59 duplo named[543]: unapproved AXFR from [216.0.52.138].1041 for
"domainname.com" (acl)

1) It doesn't seem to be walking a tld tree, because I see them for .nl, .com, .net etc.
2) I see these even for some domains that only have DNS setup, but don't yet have
   registered domain names. How did they get this information?

On top of that, I'm receiving a lot of these:

Feb  9 08:36:00 duplo named[543]: rcvd NOTIFY(domainname.com, IN, SOA) from [216.0.52.138].1024
Feb  9 08:36:00 duplo named[543]: NOTIFY(SOA) from non-master server (zone domainname.com), from [216.0.52.138].1024

Note that 216.0.52.138 is not a master for ANY of the slave zones I run, yet for some it seems to fake
bind into thinking it is a master zone. (Actually, it is some redhat 6.0 machine according to its login
banner:)

Running named 8.2.2-P3

Paul Wouters
Xtended Internet

--
Broerdijk 27                    Postbus 170             Tel: 31-24-360 39 19    
6523 GM Nijmegen                6500 AD Nijmegen        Fax: 31-24-360 19 99
The Netherlands                 The Netherlands         info () xtdnet nl

Current thread:

Re: SSH2 Exploit?, (continued)
- - - Re: SSH2 Exploit? Mike Tancsa (Feb 15)
    - Re: SSH2 Exploit? //Stany (Feb 16)
    - Re: SSH2 Exploit? sysadmin (Feb 16)
    - AdForce hitting odd ports Rick Tortorella (Feb 11)
    - UDP to 161 CL: Nelson, Jeff (Feb 10)
    - Re: UDP to 161 Pavel Kankovsky (Feb 15)
    - Re: UDP to 161 Ryan Russell (Feb 15)
    - Re: UDP to 161 CyberPsychotic (Feb 16)
    - Re: UDP to 161 Russell Fulton (Feb 15)
    - Re: Private networks and home.{net|com} Andy Smith (Feb 09)
    - massive unapproved AXFR's and odd rcvd NOTIFY's Paul Wouters (Feb 09)
    - Re: massive unapproved AXFR's and odd rcvd NOTIFY's Francis A. Vidal (Feb 09)
    - [UPDATE]Dos Trojan on Solaris Roderick Padilla (Feb 09)
    - Re: [UPDATE]Dos Trojan on Solaris Ross Mueller (Feb 09)
    - a very strange scan Boris Badenov (Feb 09)
    - Re: a very strange scan Russell Fulton (Feb 10)
    - Possible stacheldraht variant/probe Stephen P. Berry (Feb 09)
    - Re: Possible stacheldraht variant/probe David Brumley (Feb 10)
    - Re: [UPDATE]Dos Trojan on Solaris Robert Lau (Feb 09)
    - Re: Strange traceroute Rob Quinn (Feb 08)
    - vi as a suid Paulo Ribeiro (Feb 08)

(Thread continues...)