Security Incidents mailing list archives
Re: Strange DNS/TCP activity
From: paitroy () THALIA MARLBOROUGH LA CA US (Roy Pait)
Date: Thu, 27 Jan 2000 12:52:19 -0800
On 27 Jan 00, at 11:15, Asmodeus wrote:
Our nameservers have been a subject of suspicious probes (?) aimed at TCP port 53 recently. Here is a genuine tcpdump transcript of one of the probes (line-wrapped for better readability):<snip> A server I administrate has received the same probes for months now. ALways from 3 increasing ports, the first port number is always rounded to the nearest hundred (as in 2900,2901,2902; 2800,2801,2802, etc) There seem to be a number of machines in a single class C which are doing it, and several which are from other IP blocks.
Reading through Howard Kash's piece points to the same symptom - read http://www.sans.org/y2k/DNS.htm About half way through he talks about the ports being incremented by 100 and three consecutive port id's. |Roy Pait Internet: paitroy () marlborough la ca us| |Network Administrator Ph: (213)935-1147 FAX: (213)933-0542| |Marlborough School 250 S. Rossmore Ave Los Angeles, CA 90004| |http://www.marlborough.la.ca.us |
Current thread:
- Probes to tcp 2766 ('System V Listner'), (continued)
- Probes to tcp 2766 ('System V Listner') Russell Fulton (Jan 26)
- Re: No Idea Paul L Schmehl (Jan 25)
- Re: No Idea Robert Graham (Jan 25)
- Possible Probe = Possible Malfunction Ron Gula (Jan 25)
- Possible attemt at hacking? Geir A. Bjune (Jan 25)
- Re: Possible attemt at hacking? Brendan Grieve (Jan 27)
- Re: ? Adam Boileau (Jan 25)
- Korea (was RE: ?) Fernando Cardoso (Jan 26)
- Strange DNS/TCP activity Pavel Kankovsky (Jan 26)
- Re: Strange DNS/TCP activity Asmodeus (Jan 27)
- Re: Strange DNS/TCP activity Roy Pait (Jan 27)
- port 768 Guido A.J. Stevens (Jan 27)
- Re: port 768 Robert Graham (Jan 27)
- Re: Strange DNS/TCP activity technot (Jan 27)
- Re: Strange DNS/TCP activity Richard Bejtlich (Jan 27)
- Connect thru PIX & ports 1727, 2209, 9200 CL: Nelson, Jeff (Jan 27)
- Re: Korea (again) Kim R. Rasmussen (Jan 26)
- Re: Korea (again) zeek (Jan 27)
- Re: Korea (again) Kim Roland Rasmussen (Jan 27)
- Re: Korea (again) Thomas Molina (Jan 27)
- Re: Korea (again) Rob Quinn (Jan 28)