Security Incidents mailing list archives

Re: Microsoft version.binding us now?

From: jessen () NIC BR (Klaus Steding-Jessen)
Date: Tue, 30 May 2000 12:18:14 -0300


on Friday, 26 May 2000 19:11:36, Bill Marquette wrote:
| I've seen the following scan on some servers I admin for the last few days
| from not only 207.46.106.84 but also a couple other systems in that /24
| address space.  So far I've seen the version.bind hits about 50 times.  The
| really wierd thing is:
|
| we have two connections to the 'net
| our dns servers are split across the connections
| it's not a browser on the internal side triggering it as they're round
| robined via squid out the two connections
| ALL the attempts are to the same server.
|
| May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.126 security:
| notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND"
| May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.127 security:
| notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND"
| May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.128 security:
| notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND"
| May 25 13:54:07 myhost named[1319]: 25-May-2000 13:54:07.132 security:
| notice: unapproved query from [207.46.106.84].2623 for "VERSION.BIND"

Same thing here, from 207.46.106.75, 207.46.106.77 and 207.46.106.84:

May 25 16:16:27 foo named[39069]: unapproved query from [207.46.106.75].45294 for "VERSION.BIND"
May 25 16:43:40 foo named[39069]: unapproved query from [207.46.106.77].50702 for "VERSION.BIND"
May 25 17:37:08 foo named[39069]: unapproved query from [207.46.106.84].49823 for "VERSION.BIND"
May 25 17:38:30 foo named[39069]: unapproved query from [207.46.106.84].51197 for "VERSION.BIND"
May 25 17:41:30 foo named[39069]: unapproved query from [207.46.106.84].54255 for "VERSION.BIND"
May 25 18:29:57 foo named[39069]: unapproved query from [207.46.106.84].44706 for "VERSION.BIND"

The reply from infosec () microsoft com:

From: ITG Information Security Center <infosec () microsoft com>
Sender: Greg Galford <ggalford () microsoft com>
Subject: FW: SECURITY: Hacking activity from your domain
Date: Fri, 26 May 2000 07:31:42 -0700
X-Mailer: Internet Mail Service (5.5.2651.58)

Hi, these packets you are seeing are not probes, but are coming from
an F5 networks product, 3dns (see:
http://www.f5.com/3dns/index.html).


[snip]

Hard to believe that 3dns is using version.bind probes to collect RTT
information.  Can anyone confirm this?

Klaus.

Current thread:

Re: Microsoft version.binding us now? Fernando Cardoso (May 30)
- <Possible follow-ups>
- Re: Microsoft version.binding us now? Klaus Steding-Jessen (May 30)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Thijs Eilander (May 30)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
  - Re: Microsoft version.binding us now? Richard Bejtlich (Jun 02)
  - Scan of the Week continued Lance Spitzner (Jun 03)
  - very strange scan patterns Joe H (Jun 05)
    - Re: very strange scan patterns John Kristoff (Jun 05)
    - Sub-7 Khan, Mansoor (Jun 05)
    - Re: Sub-7 James Stevenson (Jun 08)
    - Re: Sub-7 Matthew F. Caldwell (Jun 08)

(Thread continues...)