Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Unwanted DNS connection attempts

From: razor () LDC RO
Date: Tue, 5 Sep 2000 15:51:36 +0300
I have a nameserver that also acts as a gateway, and I see these weird
scans.  They seem to have started yesterday, but the thing I do not
understand is why are they directed to the external interface, on
which I have no name service.

Is there a new named exploit around, or at least can I find out who
(errantly) is listing my other IP as a nameserver (I already checked
the zones I serve, thay are ok, with the internal address only).

They are both UDP and TCP, so I also suspect zone transfer attempts.

Here are the logs, times GMT+0300, ntp stratum 3 synchronised:

Sep  4 20:00:11 ns ipmon[254]: 20:00:10.664287 ed0 @0:20 b 200.211.187.194,3400 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 20:13:32 ns ipmon[254]: 20:13:32.402648 ed0 @0:20 b 209.67.42.162,2200 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 20:13:32 ns ipmon[254]: 20:13:32.404608 ed0 @0:20 b 209.67.42.162,2201 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 20:13:32 ns ipmon[254]: 20:13:32.405572 ed0 @0:20 b 209.67.42.162,2202 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 20:22:42 ns ipmon[254]: 20:22:41.308808 ed0 @0:20 b 209.67.42.162,2100 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 20:22:42 ns ipmon[254]: 20:22:41.309599 ed0 @0:20 b 209.67.42.162,2101 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 20:27:37 ns ipmon[254]: 20:27:37.283549 ed0 @0:20 b 209.67.42.162,3700 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 20:27:37 ns ipmon[254]: 20:27:37.284494 ed0 @0:20 b 209.67.42.162,3701 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 20:27:37 ns ipmon[254]: 20:27:37.287349 ed0 @0:20 b 209.67.42.162,3702 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 23:02:57 ns ipmon[254]: 23:02:57.236694 ed0 @0:20 b 209.67.42.148,3400 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 23:02:57 ns ipmon[254]: 23:02:57.237677 ed0 @0:20 b 209.67.42.148,3401 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 23:02:57 ns ipmon[254]: 23:02:57.239133 ed0 @0:20 b 209.67.42.148,3402 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 23:08:26 ns ipmon[254]: 23:08:26.009267 ed0 @0:20 b 209.67.42.148,3900 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 23:08:26 ns ipmon[254]: 23:08:26.010101 ed0 @0:20 b 209.67.42.148,3901 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 23:13:09 ns ipmon[254]: 23:13:09.194474 ed0 @0:20 b 209.67.42.148,2400 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  4 23:13:09 ns ipmon[254]: 23:13:09.195349 ed0 @0:20 b 209.67.42.148,2401 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:12:59 ns ipmon[254]: 02:12:59.833304 ed0 @0:20 b 200.211.187.195,2100 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:12:59 ns ipmon[254]: 02:12:59.836171 ed0 @0:20 b 200.211.187.195,2101 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:12:59 ns ipmon[254]: 02:12:59.837007 ed0 @0:20 b 200.211.187.195,2102 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:18:24 ns ipmon[254]: 02:18:24.144985 ed0 @0:20 b 200.211.187.195,2200 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:18:24 ns ipmon[254]: 02:18:24.145825 ed0 @0:20 b 200.211.187.195,2201 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:30:32 ns ipmon[254]: 02:30:31.409357 ed0 @0:20 b 200.211.187.195,3900 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:30:32 ns ipmon[254]: 02:30:31.410170 ed0 @0:20 b 200.211.187.195,3901 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:36:30 ns ipmon[254]: 02:36:30.139914 ed0 @0:20 b 200.211.187.254,3900 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:36:30 ns ipmon[254]: 02:36:30.140742 ed0 @0:20 b 200.211.187.254,3901 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:41:25 ns ipmon[254]: 02:41:25.788147 ed0 @0:20 b 200.211.187.254,4000 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:41:25 ns ipmon[254]: 02:41:25.789028 ed0 @0:20 b 200.211.187.254,4001 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:44:55 ns ipmon[254]: 02:44:55.372705 ed0 @0:20 b 200.211.187.254,4100 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:44:55 ns ipmon[254]: 02:44:55.373506 ed0 @0:20 b 200.211.187.254,4101 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:52:48 ns ipmon[254]: 02:52:48.572305 ed0 @0:20 b 209.67.42.160,2200 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 02:52:48 ns ipmon[254]: 02:52:48.573055 ed0 @0:20 b 209.67.42.160,2201 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 05:30:09 ns ipmon[254]: 05:30:08.661938 ed0 @0:20 b 200.211.187.194,2000 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 05:30:09 ns ipmon[254]: 05:30:08.662747 ed0 @0:20 b 200.211.187.194,2001 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 05:41:06 ns ipmon[254]: 05:41:05.182220 ed0 @0:20 b 200.211.187.194,3400 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 05:41:06 ns ipmon[254]: 05:41:05.182986 ed0 @0:20 b 200.211.187.194,3401 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 05:41:06 ns ipmon[254]: 05:41:05.184420 ed0 @0:20 b 200.211.187.194,3402 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 09:03:22 ns ipmon[254]: 09:03:22.004525 ed0 @0:22 b 200.211.187.195,3200 -> 192.129.3.227,53 PR udp len 20 16384 
 IN
Sep  5 09:03:22 ns ipmon[254]: 09:03:22.005379 ed0 @0:22 b 200.211.187.195,3201 -> 192.129.3.227,53 PR udp len 20 16384 
 IN
Sep  5 09:32:29 ns ipmon[254]: 09:32:28.663847 ed0 @0:22 b 209.67.42.163,3500 -> 192.129.3.227,53 PR udp len 20 16384  
IN
Sep  5 09:32:29 ns ipmon[254]: 09:32:28.668308 ed0 @0:22 b 209.67.42.163,3501 -> 192.129.3.227,53 PR udp len 20 16384  
IN
Sep  5 09:32:29 ns ipmon[254]: 09:32:28.674174 ed0 @0:22 b 209.67.42.163,3502 -> 192.129.3.227,53 PR udp len 20 16384  
IN
Sep  5 09:32:34 ns ipmon[254]: 09:32:34.027405 ed0 @0:20 b 209.67.42.163,3500 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 09:32:34 ns ipmon[254]: 09:32:34.028562 ed0 @0:20 b 209.67.42.163,3501 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 12:11:37 ns ipmon[254]: 12:11:37.325192 ed0 @0:20 b 209.67.42.160,2200 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 12:11:37 ns ipmon[254]: 12:11:37.326044 ed0 @0:20 b 209.67.42.160,2201 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN
Sep  5 12:11:37 ns ipmon[254]: 12:11:37.329478 ed0 @0:20 b 209.67.42.160,2202 -> 192.129.3.227,53 PR tcp len 20 26624 
-S IN

------------+------------------------------------------
Alex Popa,  |There never was a good war or a bad peace
razor () ldc ro|                   -- B. Franklin
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."
Previous By Date Next
Previous By Thread Next

Current thread: