Security Incidents mailing list archives
Re: massive unapproved AXFR's and odd rcvd NOTIFY's
From: paul () XTDNET NL (Paul Wouters)
Date: Thu, 10 Feb 2000 00:04:46 +0100
I wrote that I saw a lot of:
Feb 9 08:35:59 duplo named[543]: unapproved AXFR from [216.0.52.138].1041 for"domainname.com" (acl)
Feb 9 08:36:00 duplo named[543]: rcvd NOTIFY(domainname.com, IN, SOA) from [216.0.52.138].1024
What was it again, never attribute to malice what can be adequately explained by stupidity. The ISP that runs our secondaries upgraded to a new machine, gave away the old machine, without killing the harddrive contents, and now someone has reconnected the server half a world away, and enabled the nameserver. I've notified the SOA address and the postmaster of the client that took the machine with him.
Feb 9 08:36:00 duplo named[543]: NOTIFY(SOA) from non-master server (zone domainname.com), from [216.0.52.138].1024 Note that 216.0.52.138 is not a master for ANY of the slave zones I run, yet for some it seems to fake bind into thinking it is a master zone.
That was because for some of the zones I am still a slave, but some of the zones, I'm no longer a slave, as the client who left and took the machine took some, not all, domains with him.
Running named 8.2.2-P3
Though I did upgrade to P5 just in case :) I was properly punished for not realising this before posting with roughly 8 or so Out of Office replies by our fellow members (and I guess I will get another 8 for this posting as well). Thank you :) Paul PS. Anyone know how to recognise an Out of Office reply to an email to a list? I noticed all of them removed special headers (eg Bulk:) and most butchered the subject line. Grrrr :)
Current thread:
- Re: massive unapproved AXFR's and odd rcvd NOTIFY's Paul Wouters (Feb 09)