Re: Probes from Microsoft

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Fri, 23 Feb 2001, Ryan W. Maple wrote:

> For the last day or so, we have been getting probes such as this ...
>
>   Feb 23 19:39:17 ns named[8363]: denied query from [207.68.131.17].7018 for "."
>   Feb 23 19:40:16 ns last message repeated 2 times
>   Feb 23 19:40:16 ns named[8363]: denied query from [207.68.131.17].9210 for "."

It's a global traffic director location probe thing.  They want to figue
out which server(s) are closest to you.  When you or one of your users
does a DNS request to them, it will had back an answer that is supposed to
be the best performer for you.

>   Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer (BSDI kernel/x86)

..One brand of that type of product is the Big IP from F5.

> ... so I probe the ports ...
>
> DNS:
>   VERSION.BIND    text = "8.2.2-P5"

Now, I probably wouldn't have posted that...  Anyone know if F5 just has
some sort of regular unix running underneath?

> Now I'm not going to call up Microsoft and say "I think you are hacked"

They don't appear to have been, not from this info.

> because I don't really feel like going through all the work to find out who
> to contact, and all that.  I have cc:'d secure () microsoft com on this message
> so hopefully somebody there will investigate.

The only thing to investigate is the BIND version on that box.

> Has anybody else been seeing this?  I have to admit that I find this kind
> of funny if this is in fact Microsoft (which all signs point to).

It's been covered here before.  Go to our web page, select incidents as
the item to search, and put in "f5" as the search term.

                                        Ryan