Security Incidents mailing list archives
repeated attempts of unapproved updates
From: Wendell Craig Baker <wbaker () SPLOOSH BAKER COM>
Date: Tue, 30 Jan 2001 06:50:53 -0800
Does anyone have any thoughts on a pattern of unapproved updates to DNS? I'm constantly getting a stream of between five and fifty unapproved updates to my DNS servers. Does anyone know anything about this? I had a responsible individual at Veritas once tell me that this was a mis-configured Windows 2000 network (dhcp). He didn't elaborate but it stopped (from their sites). Jan 30 01:51:11 sploosh named[552]: unapproved update from [172.138.204.192].1339 for baker.com Jan 30 01:56:46 sploosh named[552]: unapproved update from [172.138.204.192].1350 for baker.com Jan 30 02:07:21 sploosh named[552]: unapproved update from [172.138.204.192].1361 for baker.com Jan 30 02:55:24 sploosh named[552]: unapproved update from [172.160.248.100].1383 for baker.com Jan 30 03:00:30 sploosh named[552]: unapproved update from [172.160.248.100].1395 for baker.com They've gotten more voluminous recently: $ grep -c 'unapproved update' /var/log/messages* /var/log/messages:847 (this logfile is 3 days old) /var/log/messages.1:3774 (spans 1 week -- 21-28 Jan 2001) /var/log/messages.2:884 (spans 1 week -- 14-21 Jan 2001) Some simple filtering gets a smallish set of addresses over the course of the past 30 days. The 172.*.*.* addresses seems to be AOL.COM sphere of influence. $ perl -n -e 'our %addr; next unless /unapproved update/; m/.*\[(\d+(\.\d+){3})\]\.\d+.*/; $addr{$1} = 1; END { my @saddr = sort keys %addr; print $_, "\n" for (@saddr); my $n = @saddr; print "There were $n addresses.\n"; }' /var/log/messages.* 172.129.1.251 172.129.28.173 172.131.185.88 172.141.23.60 172.143.214.61 172.153.35.74 172.153.49.61 172.154.174.144 172.160.252.14 172.164.116.99 172.164.210.216 172.168.205.251 172.174.159.178 172.174.171.231 172.174.223.178 24.162.117.95 24.167.108.191 24.27.21.61 66.27.93.98 90.0.0.2 There were 20 addresses. Thanks for any thoughts. -- Wendell Craig Baker 415 699 9567 wbaker () baker com
Current thread:
- repeated attempts of unapproved updates Wendell Craig Baker (Jan 30)
- Re: repeated attempts of unapproved updates Mike Lewinski (Jan 30)
- Re: repeated attempts of unapproved updates Jim Halfpenny (Jan 31)