Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange DNS/TCP activity

From: paitroy () THALIA MARLBOROUGH LA CA US (Roy Pait)
Date: Thu, 27 Jan 2000 12:52:19 -0800

On 27 Jan 00, at 11:15, Asmodeus wrote:

Our nameservers have been a subject of suspicious probes (?) aimed at TCP
port 53 recently. Here is a genuine tcpdump transcript of one of the
probes (line-wrapped for better readability):

<snip>
 A server I administrate has received the same probes for months now.
ALways from 3 increasing ports, the first port number is always rounded to
the nearest hundred (as in 2900,2901,2902; 2800,2801,2802, etc)

 There seem to be a number of machines in a single class C which are doing
it, and several which are from other IP blocks.


Reading through Howard Kash's piece points to the same
symptom - read http://www.sans.org/y2k/DNS.htm
About half way through he talks about the ports being incremented
by 100 and three consecutive port id's.

|Roy Pait              Internet: paitroy () marlborough la ca us|
|Network Administrator  Ph: (213)935-1147  FAX: (213)933-0542|
|Marlborough School 250 S. Rossmore Ave Los Angeles, CA 90004|
|http://www.marlborough.la.ca.us                             |
Previous By Date Next
Previous By Thread Next

Current thread: