Security Incidents mailing list archives
Re: DNS update queries: another sort of suspicious activity.
From: Flynnh () MONT DISA MIL (Flynn, Harold M. III)
Date: Mon, 31 Jan 2000 21:14:12 -0000
I had a similar incident myself, although this was involving an NT 4.0 machine, if I remember correctly. I received mail from an SA out in California with the ip address of one of the customers on the network, stating he'd been receiving numerous update attempts on one of the domains he was hosting at his site. After a look through the accounting logs, I figured out who it was, and gave him a call. We got an idea of what was going on from what he was running there at the house. Apparently, he had a domain hosted at the shop out in CA, and was pulling down the mail from the domain to his house. For some reason, the machine (obviously misconfigured) was attempting to send domain updates. By looking at logs, everytime he'd connect, he'd send a dns update to his hosting service every 2 or 3 minutes. This would occur for the duration of his connection (over dialup). I thought he might have been trying to make some sort of DynDNS updates as well, but never could confirm that, as he fixed the problem, and I left the shop shortly thereafter.
-----Original Message----- From: Patrick Oonk [SMTP:patrick () PINE NL] Sent: Friday, January 28, 2000 2:02 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: DNS update queries: another sort of suspicious activity. On Fri, Jan 28, 2000 at 04:12:38PM +0300, Fyodor wrote:Greetings, Today noticed quite interesting logs from my named: Jan 28 05:56:54 ns named[14783]: unapproved update from[192.168.0.4].126 for myzone.comJan 28 05:57:09 ns last message repeated 2 times ... Looks like someone tried to spoof DNS update queries to `update'zonefilesof my nameserver. I will try to dissect DNS update query tonight to seeif Icould write decent snort rules to detect this sort of attack.Fydor, this seems to be a 'feature' of Windows 2000. If you had portscanned the offending box you might have seen it was a Win2k box. patrick
Current thread:
- Re: DNS update queries: another sort of suspicious activity. Flynn, Harold M. III (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. H D Moore (Feb 10)
- <Possible follow-ups>
- Re: DNS update queries: another sort of suspicious activity. Rob Quinn (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. Kevin (Sparty) Broderick (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. Bill Royds (Feb 01)
- Re: DNS update queries: another sort of suspicious activity. Data_surge (Feb 03)