Re: version.bind request

From: Russell Fulton (r.fultonat_private)
Date: Tue May 29 2001 - 21:02:25 PDT

Next message: Ingersoll, Jared: "RE: Identify Method"

Previous message: Jonathan Bloomquist: "Re: UDP scan from DNS server?"
In reply to: Portnoy, Gary: "version.bind request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 29 May 2001 16:34:51 -0400 "Portnoy, Gary" 
<gportnoyat_private> wrote:

> Greetings.
> 
> I have Snort configured to alert on version.bind queries and the following
> is what i've been seeing.
> In the last week, I've seen about 10 version.bind queries to seemingly
> random IP's on my subnet. 

I got so fed up with these a couple of weeks ago that I commented out 
the snort rule.  I assume these are yet another worm doing random 
probing, I'm currently seeing about 120 machine probing random addresses
on our network with udp-53 (yes, they are the same as the ones you 
list).

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Next message: Ingersoll, Jared: "RE: Identify Method"
Previous message: Jonathan Bloomquist: "Re: UDP scan from DNS server?"
In reply to: Portnoy, Gary: "version.bind request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 30 2001 - 07:19:41 PDT