Security Incidents mailing list archives
Re: Microsoft version.binding us now?
From: bejtlich () ALTAVISTA NET (Richard Bejtlich)
Date: Thu, 22 Jun 2000 23:13:21 -0000
Hi everyone, Do you remember the post below? Take a look, and then consider this, posted to packetstorm.securify.com yesterday: porkbind-1.1.tar.gz is a robust and recursive DNS server vulnerability scanner which retrieves version.bind information for the nameservers and produces a report. Homepage: http://zsh.interniq.org Interesting! Richard Bejtlich -- I've seen the following scan on some servers I admin for the last few days from not only 207.46.106.84 but also a couple other systems in that /24 address space. So far I've seen the version.bind hits about 50 times. The really wierd thing is: we have two connections to the 'net our dns servers are split across the connections it's not a browser on the internal side triggering it as they're round robined via squid out the two connections ALL the attempts are to the same server. May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.126 security: notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND" May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.127 security: notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND" May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.128 security: notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND" May 25 13:54:07 myhost named[1319]: 25-May-2000 13:54:07.132 security: notice: unapproved query from [207.46.106.84].2623 for "VERSION.BIND" $ nslookup 207.46.106.84 Server: xxx.danger.ms Address: xxx.xxx.xxx.254 Name: sjwu3dns1.windowsupdate.com Address: 207.46.106.84 $ nslookup sjwu3dns1.windowsupdate.com Server: xxx.danger.ms Address: xxx.xxx.xxx.254 Name: sjwu3dns1.windowsupdate.com Address: 207.46.106.84 Note: I haven't yet contacted Microsoft...you heard it here first ;) --Bill <A HREF="mailto:--billm () danger ms">--billm () danger ms</A> <-- hmmmm
Current thread:
- port 12345 scanning, (continued)
- port 12345 scanning Luke Dudney (Jun 11)
- Protocol 54 M J (Jun 07)
- Re: very strange scan patterns Ejovi Nuwere (Jun 07)
- hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
- Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
- UDP Port 2078 Dundo (Jun 08)
- New KAK worm distribution out Roy Wilson (Jun 08)
- Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
- port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)
- Re: Microsoft version.binding us now? Tom Kee (Jun 03)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 22)
- Re: Microsoft version.binding us now? Oliver Friedrichs (Jun 23)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
- Re: Microsoft version.binding us now? John Hall (Jun 27)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
- Re: Microsoft version.binding us now? Rune Kristian Viken (Jun 28)