Security Incidents mailing list archives

Re: version.bind request

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Wed, 30 May 2001 16:02:25 +1200 (NZST)


On Tue, 29 May 2001 16:34:51 -0400 "Portnoy, Gary" 
<gportnoy () belenosinc com> wrote:

Greetings.

I have Snort configured to alert on version.bind queries and the following
is what i've been seeing.
In the last week, I've seen about 10 version.bind queries to seemingly
random IP's on my subnet.


I got so fed up with these a couple of weeks ago that I commented out 
the snort rule.  I assume these are yet another worm doing random 
probing, I'm currently seeing about 120 machine probing random addresses
on our network with udp-53 (yes, they are the same as the ones you 
list).

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Current thread:

version.bind request Portnoy, Gary (May 29)
- Re: version.bind request Russell Fulton (May 30)
- <Possible follow-ups>
- RE: version.bind request Jeff Calvert (May 30)