Security Incidents mailing list archives
Re: Strange DNS/TCP activity
From: technot () BERGEN CX (technot)
Date: Thu, 27 Jan 2000 18:23:20 +0100
Our nameservers have been a subject of suspicious probes (?) aimed at TCP port 53 recently. Here is a genuine tcpdump transcript of one of the probes (line-wrapped for better readability): 19:50:23.087805 209.67.42.160.2900 > our.nameserver.domain: S 1514380992:1514381056(64) win 2048 (ttl 239, id 24887) (payload of 64 zeros) 19:50:23.087805 209.67.42.160.2901 > our.nameserver.domain: S 1535086518:1535086582(64) win 2048 (ttl 239, id 34386) (payload of 64 zeros) 19:50:23.087805 209.67.42.160.2902 > our.nameserver.domain: S 338360493:338360557(64) win 2048 (ttl 239, id 18215) (payload of 64 zeros) [ 209.67.42.160 opens three connections, sending 64 zero bytes in the SYN datagram?! ] 19:50:23.087805 our.nameserver.domain > 209.67.42.160.2900: S 4257621082:4257621082(0) ack 1514380993 win 32736 <mss 536> (ttl 63, id 15013) 19:50:23.087805 our.nameserver.domain > 209.67.42.160.2901: S 386430030:386430030(0) ack 1535086519 win 32736 <mss 536> (ttl 63, id 15014) 19:50:23.087805 our.nameserver.domain > 209.67.42.160.2902: S 3536506566:3536506566(0) ack 338360494 win 32736 <mss 536> (ttl 63, id 15015) [ the nameserver accepts these connections ] 19:50:23.327805 209.67.42.160.2900 > our.nameserver.domain: R 1514380993:1514380993(0) win 0 (ttl 48, id 1612) 19:50:23.327805 209.67.42.160.2901 > our.nameserver.domain: R 1535086519:1535086519(0) win 0 (ttl 48, id 1614) 19:50:23.327805 209.67.42.160.2902 > our.nameserver.domain: R 338360494:338360494(0) win 0 (ttl 48, id 1616) [ 209.67.42.160 resets all connections ] 19:50:23.327805 209.67.42.160.2900 > our.nameserver.domain: R 1:1(0) ack 1 win 2048 (ttl 239, id 29835) 19:50:23.327805 209.67.42.160.2901 > our.nameserver.domain: R 1:1(0) ack 1 win 2048 (ttl 239, id 40424) 19:50:23.327805 209.67.42.160.2902 > our.nameserver.domain: R 1:1(0) ack 1 win 2048 (ttl 239, id 4625) [ ...and it resets them again?! ] The clients IP address is changing. Today, I caught 200.211.187.195, 209.67.42.183, 209.67.42.150, 209.67.42.160, and 200.211.187.194. As far as I can tell, port numbers are always "round" numbers: 100x+0, 100x+1, and 100x+2. ISNs look random. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
This looks to me as beeing a simple bind attack/scan. There are some public exploits for bind 8.2 and 8.2.1 for linux / unix. Also i heard roumers of a bind 8.1.1 linux exploit but I have never actually seen one. There are some private scanners for scanning C class and B class for bind, giving out information like this: - 207.139.235.214 2s csdepot.com 0 8.2 - I did a simple C class scan on 207.139.235.* and 207.139.235.214 is exploitable using this bind exploit. If you dont run bind 8.2, 8.2.1 or 8.1.1(?) I wouldn't be worried. - technot <technot () bergen cx>
Current thread:
- Possible Probe = Possible Malfunction, (continued)
- Possible Probe = Possible Malfunction Ron Gula (Jan 25)
- Possible attemt at hacking? Geir A. Bjune (Jan 25)
- Re: Possible attemt at hacking? Brendan Grieve (Jan 27)
- Re: ? Adam Boileau (Jan 25)
- Korea (was RE: ?) Fernando Cardoso (Jan 26)
- Strange DNS/TCP activity Pavel Kankovsky (Jan 26)
- Re: Strange DNS/TCP activity Asmodeus (Jan 27)
- Re: Strange DNS/TCP activity Roy Pait (Jan 27)
- port 768 Guido A.J. Stevens (Jan 27)
- Re: port 768 Robert Graham (Jan 27)
- Re: Strange DNS/TCP activity technot (Jan 27)
- Re: Strange DNS/TCP activity Richard Bejtlich (Jan 27)
- Connect thru PIX & ports 1727, 2209, 9200 CL: Nelson, Jeff (Jan 27)
- Re: Korea (again) Kim R. Rasmussen (Jan 26)
- Re: Korea (again) zeek (Jan 27)
- Re: Korea (again) Kim Roland Rasmussen (Jan 27)
- Re: Korea (again) Thomas Molina (Jan 27)
- Re: Korea (again) Rob Quinn (Jan 28)
- Re: Korea (again) Granquist, Lamont (Jan 27)
- Re: Korea (was RE: ?) horio shoichi (Jan 26)
- Re: Korea (was RE: ?) David Brumley (Jan 27)