Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Remote DNS update attempts

From: kaos () OCS COM AU (Keith Owens)
Date: Wed, 17 May 2000 22:08:06 +1000

Found this in my firewall logs, along with a lot of attempts from the
same IP address to access DNS over TCP.  The updates were rejected by
BIND but even the attempt is worrying.  203.76.2.160 is
m160.dialup.ix.net.au.

If I understand rfc2136 correctly, this one tried to add
abraham.ocs.com.au as a CNAME with an IP address of 203.76.2.160
(m160.dialup).

2000/05/17-03:08:17.088667 203.76.2.160.1981 > 203.34.97.9.53: 52 op5 [2a] SOA? ocs.com.au. (74)
        E. .f .( .. t. uF .L ..  4500 0066 d728 0000 7411 7546 cb4c 02a0
        ." a. .. .5 .R w. .4 (.  cb22 6109 07bd 0035 0052 771d 0034 2800
        .. .. .. .. .o cs .c om  0001 0002 0000 0000 036f 6373 0363 6f6d
        .a u. .. .. .a br ah am  0261 7500 0006 0001 0761 6272 6168 616d
        .o cs .c om .a u. .. ..  036f 6373 0363 6f6d 0261 7500 0005 00fe
        .. .. .. .. .. .. .. ..  0000 0000 0000 c01c 0001 0001 0000 0000
        .. .L ..                 0004 cb4c 02a0

This one tried to add a hostname of ocs.com.au with an IP address of
203.76.2.160.

2000/05/17-03:13:15.806955 203.76.2.160.2009 > 203.34.97.9.53: 348 op5 [1n] SOA? ocs.com.au. (54)
        E. .R .. .. t. p. .L ..  4500 0052 db9a 0000 7411 70e8 cb4c 02a0
        ." a. .. .5 .> as .\ (.  cb22 6109 07d9 0035 003e 6173 015c 2800
        .. .. .. .. .o cs .c om  0001 0000 0001 0000 036f 6373 0363 6f6d
        .a u. .. .. .o cs .c om  0261 7500 0006 0001 036f 6373 0363 6f6d
        .a u. .. .. .. .X .. .L  0261 7500 0001 0001 0000 0258 0004 cb4c
        ..                       02a0

Tried to add a hostname of gc._msd.ocs.com.au with an IP address of
203.76.2.160.

2000/05/17-03:14:25.489638 203.76.2.160.2019 > 203.34.97.9.53: 355 op5 [1n] SOA? ocs.com.au. (64)
        E. .\ .z .. t. o. .L ..  4500 005c dc7a 0000 7411 6ffe cb4c 02a0
        ." a. .. .5 .H .. .c (.  cb22 6109 07e3 0035 0048 c59b 0163 2800
        .. .. .. .. .o cs .c om  0001 0000 0001 0000 036f 6373 0363 6f6d
        .a u. .. .. .g c. _m sd  0261 7500 0006 0001 0267 6306 5f6d 7364
        cs .o cs .c om .a u. ..  6373 036f 6373 0363 6f6d 0261 7500 0001
        .. .. .X .. .L ..        0001 0000 0258 0004 cb4c 02a0

That last hostname (gc._msd.ocs.com.au) could indicate that
203.76.2.160 is just a Windoze box trying to autoregister itself.  But
it does not fit with the earlier update attempts.
Previous By Date Next
Previous By Thread Next

Current thread: