Security Incidents mailing list archives
Re: repeated attempts of unapproved updates
From: Mike Lewinski <mike () ROCKYNET COM>
Date: Tue, 30 Jan 2001 10:12:32 -0700
I periodically track down the offenders and send them a note with this link.... feel free to copy & customize. http://www.rockynet.com/tech/win2k-ddns.html Mike ----- Original Message ----- From: "Wendell Craig Baker" <wbaker () SPLOOSH BAKER COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, January 30, 2001 7:50 AM Subject: repeated attempts of unapproved updates
Does anyone have any thoughts on a pattern of unapproved updates to
DNS?
I'm constantly getting a stream of between five and fifty unapproved
updates
to my DNS servers. Does anyone know anything about this? I had a responsible individual at Veritas once tell me that this was a
mis-configured
Windows 2000 network (dhcp). He didn't elaborate but it stopped (from
their
sites). Jan 30 01:51:11 sploosh named[552]: unapproved update from [172.138.204.192].1339 for baker.com Jan 30 01:56:46 sploosh named[552]: unapproved update from [172.138.204.192].1350 for baker.com Jan 30 02:07:21 sploosh named[552]: unapproved update from [172.138.204.192].1361 for baker.com Jan 30 02:55:24 sploosh named[552]: unapproved update from [172.160.248.100].1383 for baker.com Jan 30 03:00:30 sploosh named[552]: unapproved update from [172.160.248.100].1395 for baker.com They've gotten more voluminous recently: $ grep -c 'unapproved update' /var/log/messages* /var/log/messages:847 (this logfile is 3 days old) /var/log/messages.1:3774 (spans 1 week -- 21-28 Jan 2001) /var/log/messages.2:884 (spans 1 week -- 14-21 Jan 2001) Some simple filtering gets a smallish set of addresses over the course
of the
past 30 days. The 172.*.*.* addresses seems to be AOL.COM sphere of
influence.
$ perl -n -e 'our %addr; next unless /unapproved update/; m/.*\[(\d+(\.\d+){3})\]\.\d+.*/; $addr{$1} = 1; END { my @saddr = sort
keys
%addr; print $_, "\n" for (@saddr); my $n = @saddr; print "There were
$n
addresses.\n"; }' /var/log/messages.* 172.129.1.251 172.129.28.173 172.131.185.88 172.141.23.60 172.143.214.61 172.153.35.74 172.153.49.61 172.154.174.144 172.160.252.14 172.164.116.99 172.164.210.216 172.168.205.251 172.174.159.178 172.174.171.231 172.174.223.178 24.162.117.95 24.167.108.191 24.27.21.61 66.27.93.98 90.0.0.2 There were 20 addresses. Thanks for any thoughts. -- Wendell Craig Baker 415 699 9567 wbaker () baker com
Current thread:
- repeated attempts of unapproved updates Wendell Craig Baker (Jan 30)
- Re: repeated attempts of unapproved updates Mike Lewinski (Jan 30)
- Re: repeated attempts of unapproved updates Jim Halfpenny (Jan 31)