Security Incidents mailing list archives
Re: unapproved update from [166.93.60.5].61946
From: Suzanne.Hernandez () GUNTER AF MIL (Suzanne.Hernandez () GUNTER AF MIL)
Date: Fri, 19 May 2000 13:21:07 -0500
This is called nsupdate and is a "feature" of dns. These are attempts to remotely add or remove records from the dns cache on the primary dns server for your domain. This "feature" uses udp/53 so unfortunately, there is one and only one place to protect yourself and that is in your dns config itself. The feature is turned off by default and has to be specifically turned on with allow-update to work. Obviously yours is turned off. However, from what I've seen, the feature will have to be turned on for a windows 2000 machine to automatically register itself with your dns server. Also for dhcp. So if you turn it on, turn it on with care, from only your network and make sure you have spoofing acl's in your router. We have also seen many of these, in 3 months, about 350 attempts from places like Singapore, Israel, Italy etc. We have also seen attempts from 3rd level domains off our 2nd level domain that we run. In other words, a user has a windows 2000 machine, his domain is domain.mydomain.com. He accidentally puts in mispelleddomain.mydomain.com and when his 2000 machine tries to register with the dns server for misspelleddomain.mydomain.com, it sees there is no domain by that name and instead goes to the mydomain.com primary dns server. One can set this up to use only tcp 53 instead and that would be the way to go. I did a test and was able (using this feature) to redirect all my mail to a new exchange server (i.e. the hackers exchange server), tell the hacker's exchange server to resend the email back to the intended mail server, but make a copy of each email, thereby hijacking all a sites email and having access to it without the site even being aware of this. The other concern is that nsupdate can send a time to live so the new email record has 100 year time to live and by the time the site realizes the problem and deletes the record from its cache, its now cached on dns servers throughout the world for 100 years (or until a reboot). Suzi Hernandez
-----Original Message----- From: James Ankenbrandt [SMTP:anken () IX NETCOM COM] Sent: Wednesday, May 17, 2000 2:50 PM To: INCIDENTS () SECURITYFOCUS COM Subject: unapproved update from [166.93.60.5].61946 I have been getting these for several days: May 17 14:17:17 mail named[69]: unapproved update from [166.93.60.5].61946 for [mydomain deleted].com What would anyone suggest? I *assume* they are hostile, but what to do? As a relative newbie I would be grateful for suggestions and/or pointers in the correct direction Jim
begin 600 winmail.dat M>)\^(C,2`0:0"``$```````!``$``0>0!@`(````Y`0```````#H``$(@`<` M&````$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`06``P`.````T`<%`!,` M#0`5``<`!0`=`0$@@`,`#@```-`'!0`3``T`%``R``4`1P$!"8`!`"$```!& M,#5!03`P-SA",D1$-#$Q0C0R,#`P0S`T1C<W.40S1@`7!P$$@`$`+P```%)% M.B!U;F%P<')O=F5D('5P9&%T92!F<F]M(%LQ-C8N.3,N-C`N-5TN-C$Y-#8` MZ@T!#8`$``(````"``(``0.0!@"0#```*P````L``@`!`````P`N``````!` M`#D`,"]>`+_!OP$>`'```0```"L```!U;F%P<')O=F5D('5P9&%T92!F<F]M M(%LQ-C8N.3,N-C`N-5TN-C$Y-#8```(!<0`!````&P````&_P0_F_GIS.KTL M]!'4F,X`D"=AIX4`*SFE0``>`#%``0````L```!(15).04Y$15I3```#`!I` M`````!X`,$`!````"P```$A%4DY!3D1%6E,```,`&4```````@$)$`$```#$ M!P``P`<```4-``!,6D9U>MH7"@,`"@!R8W!G,3(UTC(`^S,V`>@@`J0#XPD" M`&-H"L!S970P/B`'$P*#`%`"\A"Y5&$>:`-Q`H,.4!!6<')QVC(163,#QA%E M?0J`",AL(#L);PXP-0*`"H%U/F,`4`L##-`!P0S!,30R-!FB,C$/0!HB.#@G M&:(/,1FB-#,9DS4PR1H#-3<:<S8T&N,!P;4=(SD9DS@<\!FB.0\QOQFR&U`: MXQ\@&N`9HS$.0-D9HS(R&@,.(#D>U`\PMQ]4&?$9HS4.(")D."#4_#8U'M0! MP!]4'\$D9!F%^CD9]3`:91]`&N,:4AH3;C(;M">P'")C`$$+8&ZY#A`P,Q51 M"\03`&@$`*H@*?%C!T!L"8`@`("`=7!D871E(`!P@RJ@*?%A(")F92L0`0AP M92(@;V8@9/T`@"X*H@J$"H`IT`>0*S%G"7`K0`)`96T%,`0@=)QO(`EP!&`K M(&QY*T#N9"J@!;$O$G8K,`EP!:'^9`0@`U(NT"W`+*(J01#0_RLP`B`Q0Q1@ M!W`*P"^`,9*]$1!R,%`%P`(0!<!Y"&%G+*`#<0N`+B`IQ"OH=0,1$`0@=61P M+S4SLS-0+O!U;C/1+"!N*Q']+W`L,4(N(2GQ`B`K-`(@]R]Q.%(+46,K,"[A M%&`O0>YC!4`T$A$0;"R0*U(Q4#\K$"H2"X`T!3&B`B!F:?YG*A`NL#K!-,,K M,"OU*A+/+"$X8"_!`2`@8C,!`1!X875L!4`K4A#@+L-B^2LP<W`%D`:0#>`J M82^`/SYV`Z`#\#%0*T`J<&]W5BTJY2[A=P6P:S3!3^AB=FD(8',O<3IS/CQU M-,%(0J!E,Y$WH#$#=_D[4DDG,%$1$`GP-Z,]M_\#\"IP0`$P44!408@STBO` M_P/P*V!"H`0@'7$10`#!*>#?.&$NX3^`+N``P'1!%0EP_F<$`"L@!<`\]$(4 M._<S9)DTP4%L-J$STF1H#?#]-,%3+O`&D#0"/F,\X3(A_S>A40="%"I0"7!& M53C3-!/=.&!T0W(K0P#`:T"1/@+W4+)(TT"P;RR`"X`\T`#0?&PG.Z@#8$P0 M3P(L^E>_*S!(TP=`-J%'8DM!;CD!_RR0,5$1$#>@.\$V@`1@`C#\:',WH`&@ M5W%:T!P0+DBG,0,Y8P0@;&E4X5-6089A5@!2TDES<F$O8.]>40&0+W$1(&,T MP5BO7!W^,PL@76!&$0,@-&0X,3[Q_30B,BMA8?H[-$8`+P`VT/TTP4D#H"]` M-]%#8C#06V'_-=(%P$`22F]+<S>@*>)C];%HARYM>31E!:!M1;*]*S%C0.`! M``(P03-P3!#].Z-M!`!`P"IR:5\Q(2M2_T;`69$IXDL,"($NQ4T%0B/_,58S M:6PQ;%]I]UJ1!4!'8?LNP3?6;B[P8_4_(3M#-T`?!X`K1`"`*R`OH"!G;[]O MU#%2;3LRKT\0+/I/.&'_*E`#H!$1,4$I\2K@+M(UX?\XQ%]@?!`V<7;V.P=# M<#^0YRJ@25(Q87=A06$N\'=P^S3!+/I)+*!K$"NQ*R!-(-\TT&X#9L("8"LP M*#7@5D+[>[,K]2DNU(#@,($_L4BA/VG`2T$#$4O24_$'X&5X#Q#1*.!'0C.# M*&DN97<TP#%2$.!C5.!$L87=*?\WH7*1ARE6L87>+N,1$#L3]RLP+H"%`F*' M@7>V"X`K(-\K8"J1A/,S9#>@8ENQ5,/[*\`%H'!9\RP`$-",!#>E^S\A*>!J MAX%60TBA*\``D/^!08P%/]1$`%9373$NPU%!?T(B6Z(Q4I("7T`P4'7!9?]6 M0W]`+B%:$P0`/55E=#R!_SF041)TDG8R*M9[-"MA@2'_!W$NTEUP1S)WU(63 MA/,PA/]``Q\A-``L`(L1F?HK4G7CGSFAF?.4U@EP!T!I>G2$_SGB@C%MY`$` M*H"2(C%2F\7_,0,\\3'$=!)U(@?@,=-!T_<S*'225V%GE'=#<7ZA,]+[G'8$ M("@%L3;03&"1PI"Q^580="DLZPKT*(`,%`/0PP\P+/13=7II:J$$H-DK465Z M"B`!0&D"T1(!_G,D(*C:$[,:8*C:77`>PO4Y]BVO0D\%$$T`-T`#(/I-DZ%A MAC"O0RSV.@2NH><+$SH$`@!I+1GC77`DHM$9MF(@1@-A.@R#JZ`L($IV<17! M;E3@;F('7I`K8`5`6U--5%`&.@!PM8%`25@N3D!%5$-/32ZW05W_+/6T$`9@ M`C"T=U^P++`'D'LK`#>137]1)"`WH$L#,I(Z6_%03;?'5&^T=P!)3D-)1$5. M5`!30%-%0U522=!4649/O1!3MW*WR+AU8FHZ,;1W-S%P.?$O,%`JH"KE,0-; M&F`V+L4>L"X/0"XU7<%P):'_K9>Q;[)RKF099!5##`&`=?](TT"`69&&,`)` M@J0MTC/2[Q$0,Y&O\;F!<[1P+0FYU'F<8#0Z)"#)D83D=F)DX%LV.5TZOX_` MG\&M[3/26VG&H.5DP<!J45?K;WXX6=$X4BK09X8P32`_N64A("I`("K0!X`J M,4+_+X$N(1,P32`#$%+@+/2.DN]&PR[A-\4$KH@EP"V#W3&`P48618@B0 MTA%^=PG`_2L19C^0S:C1A400!C$K4?XO!;%6`(TR1+(R1`6AA#-WA!38X2SZ M2@=P+/0640`!W4`>`$(0`0```#4````\-"XS+C$N,BXR,#`P,#4Q-S$U-#$P M,2XP,&(P,SAD,$!P;W!D+FEX+FYE=&-O;2YC;VT^``````L`!(`((`8````` M`,````````!&``````.%`````````P``@`@@!@``````P````````$8````` M4H4``/,5```>``&`""`&``````#`````````1@````!4A0```0````4````X M+C`T``````,``X`((`8``````,````````!&``````&%````````"P`%@`@@ M!@``````P````````$8`````#H4````````#``:`""`&``````#````````` M1@`````0A0````````,`!X`((`8``````,````````!&`````!&%```````` M`P`(@`@@!@``````P````````$8`````&(4````````>``F`""`&``````#` M````````1@`````VA0```0````$`````````'@`*@`@@!@``````P``````` M`$8`````-X4```$````!`````````!X`"X`((`8``````,````````!&```` M`#B%```!`````0`````````#`/$_"00```,`_3_D!````P`F```````#`#8` M``````,`@!#_____`@%'``$````J````8SU54SMA/41-4SML/4932E5"2C`W M+3`P,#4Q.3$X,C$P-UHM,C@W,3$````>`#A``0````L```!(15).04Y$15I3 M```>`#E``0````L```!(15).04Y$15I3``!```<PULQ;`+_!OP%```@P.$G3 M];[!OP$>`#T``0````4```!213H@`````!X`'0X!````*P```'5N87!P<F]V M960@=7!D871E(&9R;VT@6S$V-BXY,RXV,"XU72XV,3DT-@``'@`U$`$```!$ M````/$%!0C0W13@V0S<R,40T,3%".39",#`Y,#(W0C$Q131&-C0W,#8V0&9S M:G5B:C`W+G-S9RYG=6YT97(N868N;6EL/@`+`"D```````L`(P```````P`& M$!C9<DX#``<0YP<```,`$!```````P`1$``````>``@0`0```&4```!42$E3 M25-#04Q,141.4U501$%414%.1$E302)&14%455)%(D]&1$Y35$A%4T5!4D5! M5%1%35!44U1/4D5-3U1%3%E!1$1/4E)%34]615)%0T]21%-&4D]-5$A%1$Y3 M0T%#2$5/``````(!?P`!````1````#Q!04(T-T4X-D,W,C%$-#$Q0CDV0C`P M.3`R-T(Q,44T1C8T-S`V-D!F<VIU8FHP-RYS<V<N9W5N=&5R+F%F+FUI;#X` ";J$= ` end
Current thread:
- Re: unapproved update from [166.93.60.5].61946 Teri Bidwell (May 18)
- Re: unapproved update from [166.93.60.5].61946 Chris Brenton (May 20)
- <Possible follow-ups>
- Re: unapproved update from [166.93.60.5].61946 Suzanne.Hernandez () GUNTER AF MIL (May 19)