Security Incidents mailing list archives

Re: repeated attempts of unapproved updates

From: Mike Lewinski <mike () ROCKYNET COM>
Date: Tue, 30 Jan 2001 10:12:32 -0700

I periodically track down the offenders and send them a note with this
link.... feel free to copy & customize.

http://www.rockynet.com/tech/win2k-ddns.html

Mike


----- Original Message -----
From: "Wendell Craig Baker" <wbaker () SPLOOSH BAKER COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, January 30, 2001 7:50 AM
Subject: repeated attempts of unapproved updates

Does anyone have any thoughts on a pattern of unapproved updates to

DNS?


I'm constantly getting a stream of between five and fifty unapproved

updates

to my DNS servers.  Does anyone know anything about this?    I had a
responsible individual at Veritas once tell me that this was a

mis-configured

Windows 2000 network (dhcp).  He didn't elaborate but it stopped (from

their

sites).

Jan 30 01:51:11 sploosh named[552]: unapproved update from
[172.138.204.192].1339 for baker.com
Jan 30 01:56:46 sploosh named[552]: unapproved update from
[172.138.204.192].1350 for baker.com
Jan 30 02:07:21 sploosh named[552]: unapproved update from
[172.138.204.192].1361 for baker.com
Jan 30 02:55:24 sploosh named[552]: unapproved update from
[172.160.248.100].1383 for baker.com
Jan 30 03:00:30 sploosh named[552]: unapproved update from
[172.160.248.100].1395 for baker.com

They've gotten more voluminous recently:

$ grep -c 'unapproved update' /var/log/messages*
/var/log/messages:847    (this logfile is 3 days old)
/var/log/messages.1:3774 (spans 1 week -- 21-28 Jan 2001)
/var/log/messages.2:884  (spans 1 week -- 14-21 Jan 2001)

Some simple filtering gets a smallish set of addresses over the course

of the

past 30 days.  The 172.*.*.* addresses seems to be AOL.COM sphere of

influence.


$ perl -n -e 'our %addr; next unless /unapproved update/;
m/.*\[(\d+(\.\d+){3})\]\.\d+.*/; $addr{$1} = 1; END { my @saddr = sort

keys

%addr; print $_, "\n" for (@saddr); my $n = @saddr; print "There were

$n

addresses.\n"; }' /var/log/messages.*

172.129.1.251
172.129.28.173
172.131.185.88
172.141.23.60
172.143.214.61
172.153.35.74
172.153.49.61
172.154.174.144
172.160.252.14
172.164.116.99
172.164.210.216
172.168.205.251
172.174.159.178
172.174.171.231
172.174.223.178
24.162.117.95
24.167.108.191
24.27.21.61
66.27.93.98
90.0.0.2
There were 20 addresses.

Thanks for any thoughts.

--
Wendell Craig Baker
415 699 9567
wbaker () baker com

Current thread:

repeated attempts of unapproved updates Wendell Craig Baker (Jan 30)
- Re: repeated attempts of unapproved updates Mike Lewinski (Jan 30)
- Re: repeated attempts of unapproved updates Jim Halfpenny (Jan 31)