Security Incidents mailing list archives
Remote DNS update attempts
From: kaos () OCS COM AU (Keith Owens)
Date: Wed, 17 May 2000 22:08:06 +1000
Found this in my firewall logs, along with a lot of attempts from the same IP address to access DNS over TCP. The updates were rejected by BIND but even the attempt is worrying. 203.76.2.160 is m160.dialup.ix.net.au. If I understand rfc2136 correctly, this one tried to add abraham.ocs.com.au as a CNAME with an IP address of 203.76.2.160 (m160.dialup). 2000/05/17-03:08:17.088667 203.76.2.160.1981 > 203.34.97.9.53: 52 op5 [2a] SOA? ocs.com.au. (74) E. .f .( .. t. uF .L .. 4500 0066 d728 0000 7411 7546 cb4c 02a0 ." a. .. .5 .R w. .4 (. cb22 6109 07bd 0035 0052 771d 0034 2800 .. .. .. .. .o cs .c om 0001 0002 0000 0000 036f 6373 0363 6f6d .a u. .. .. .a br ah am 0261 7500 0006 0001 0761 6272 6168 616d .o cs .c om .a u. .. .. 036f 6373 0363 6f6d 0261 7500 0005 00fe .. .. .. .. .. .. .. .. 0000 0000 0000 c01c 0001 0001 0000 0000 .. .L .. 0004 cb4c 02a0 This one tried to add a hostname of ocs.com.au with an IP address of 203.76.2.160. 2000/05/17-03:13:15.806955 203.76.2.160.2009 > 203.34.97.9.53: 348 op5 [1n] SOA? ocs.com.au. (54) E. .R .. .. t. p. .L .. 4500 0052 db9a 0000 7411 70e8 cb4c 02a0 ." a. .. .5 .> as .\ (. cb22 6109 07d9 0035 003e 6173 015c 2800 .. .. .. .. .o cs .c om 0001 0000 0001 0000 036f 6373 0363 6f6d .a u. .. .. .o cs .c om 0261 7500 0006 0001 036f 6373 0363 6f6d .a u. .. .. .. .X .. .L 0261 7500 0001 0001 0000 0258 0004 cb4c .. 02a0 Tried to add a hostname of gc._msd.ocs.com.au with an IP address of 203.76.2.160. 2000/05/17-03:14:25.489638 203.76.2.160.2019 > 203.34.97.9.53: 355 op5 [1n] SOA? ocs.com.au. (64) E. .\ .z .. t. o. .L .. 4500 005c dc7a 0000 7411 6ffe cb4c 02a0 ." a. .. .5 .H .. .c (. cb22 6109 07e3 0035 0048 c59b 0163 2800 .. .. .. .. .o cs .c om 0001 0000 0001 0000 036f 6373 0363 6f6d .a u. .. .. .g c. _m sd 0261 7500 0006 0001 0267 6306 5f6d 7364 cs .o cs .c om .a u. .. 6373 036f 6373 0363 6f6d 0261 7500 0001 .. .. .X .. .L .. 0001 0000 0258 0004 cb4c 02a0 That last hostname (gc._msd.ocs.com.au) could indicate that 203.76.2.160 is just a Windoze box trying to autoregister itself. But it does not fit with the earlier update attempts.
Current thread:
- Remote DNS update attempts Keith Owens (May 17)