Security Incidents mailing list archives
massive unapproved AXFR's and odd rcvd NOTIFY's
From: paul () XTDNET NL (Paul Wouters)
Date: Wed, 9 Feb 2000 15:50:56 +0100
(All strings "domainname.com" are real domainnames) I am seeing a LOT of these, even right now: Feb 9 08:35:59 duplo named[543]: unapproved AXFR from [216.0.52.138].1041 for "domainname.com" (acl) 1) It doesn't seem to be walking a tld tree, because I see them for .nl, .com, .net etc. 2) I see these even for some domains that only have DNS setup, but don't yet have registered domain names. How did they get this information? On top of that, I'm receiving a lot of these: Feb 9 08:36:00 duplo named[543]: rcvd NOTIFY(domainname.com, IN, SOA) from [216.0.52.138].1024 Feb 9 08:36:00 duplo named[543]: NOTIFY(SOA) from non-master server (zone domainname.com), from [216.0.52.138].1024 Note that 216.0.52.138 is not a master for ANY of the slave zones I run, yet for some it seems to fake bind into thinking it is a master zone. (Actually, it is some redhat 6.0 machine according to its login banner:) Running named 8.2.2-P3 Paul Wouters Xtended Internet -- Broerdijk 27 Postbus 170 Tel: 31-24-360 39 19 6523 GM Nijmegen 6500 AD Nijmegen Fax: 31-24-360 19 99 The Netherlands The Netherlands info () xtdnet nl
Current thread:
- Re: SSH2 Exploit?, (continued)
- Re: SSH2 Exploit? Mike Tancsa (Feb 15)
- Re: SSH2 Exploit? //Stany (Feb 16)
- Re: SSH2 Exploit? sysadmin (Feb 16)
- AdForce hitting odd ports Rick Tortorella (Feb 11)
- UDP to 161 CL: Nelson, Jeff (Feb 10)
- Re: UDP to 161 Pavel Kankovsky (Feb 15)
- Re: UDP to 161 Ryan Russell (Feb 15)
- Re: UDP to 161 CyberPsychotic (Feb 16)
- Re: UDP to 161 Russell Fulton (Feb 15)
- Re: Private networks and home.{net|com} Andy Smith (Feb 09)
- massive unapproved AXFR's and odd rcvd NOTIFY's Paul Wouters (Feb 09)
- Re: massive unapproved AXFR's and odd rcvd NOTIFY's Francis A. Vidal (Feb 09)
- [UPDATE]Dos Trojan on Solaris Roderick Padilla (Feb 09)
- Re: [UPDATE]Dos Trojan on Solaris Ross Mueller (Feb 09)
- a very strange scan Boris Badenov (Feb 09)
- Re: a very strange scan Russell Fulton (Feb 10)
- Possible stacheldraht variant/probe Stephen P. Berry (Feb 09)
- Re: Possible stacheldraht variant/probe David Brumley (Feb 10)
- Re: [UPDATE]Dos Trojan on Solaris Robert Lau (Feb 09)
- Re: Strange traceroute Rob Quinn (Feb 08)
- vi as a suid Paulo Ribeiro (Feb 08)