RE: version.bind request

From: Jeff Calvert (jcalvertat_private)
Date: Wed May 30 2001 - 07:41:25 PDT

Next message: Jeff Peterson: "RE: Identify Method"

Previous message: Ingersoll, Jared: "RE: Identify Method"
Maybe in reply to: Portnoy, Gary: "version.bind request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have also noticed these named-probe-version alerts.  Same pattern of
random sources, going to IP's that don't have hosts associated with
them.:

05/20-08:18:41.754937  213.42.45.162:3310 -> a.b.c.157:53
05/20-08:41:54.004937  168.77.214.13:3422 -> a.b.c.204:53
05/20-14:45:40.924937  200.41.84.109:4904 -> a.b.c.138:53
05/20-21:23:38.014937  211.13.200.132:3979 -> a.b.c.219:53
05/20-23:34:31.044937  209.196.46.130:2369 -> a.b.c.131:53
05/21-02:18:43.464937  150.214.53.58:3709 -> a.b.c.213:53
05/21-04:43:32.014937  210.208.128.4:4514 -> a.b.c.50:53
05/21-05:02:15.724937  63.34.208.66:1660 -> a.b.c.219:53
05/21-08:14:28.684937  210.162.194.130:4823 -> a.b.c.195:53
05/21-16:04:50.044937  202.86.136.31:3504 -> a.b.c.133:53
05/21-18:45:11.974937  195.76.10.75:4882 -> a.b.c.198:53
05/22-01:31:29.634937  61.218.146.51:4138 -> a.b.c.212:53
05/29-17:49:31.923427  62.137.41.136:2770 -> a.b.c.147:53
05/29-23:25:51.403376  210.11.29.11:4706 -> a.b.c.200:53
05/29-23:26:37.293376  203.73.208.97:2053 -> a.b.c.159:53

Jeff Calvert
System Administrator
jcalvertat_private

-----Original Message-----
From: Portnoy, Gary [mailto:gportnoyat_private]
Sent: Tuesday, May 29, 2001 3:35 PM
To: 'intursionsat_private'; 'incidentsat_private'
Subject: version.bind request


Greetings.

I have Snort configured to alert on version.bind queries and the
following
is what i've been seeing.
In the last week, I've seen about 10 version.bind queries to seemingly
random IP's on my subnet.  Some of these IP's don't even have hosts
associated with them.  Checking back in my logs, it doesn't look like
the
various source IPs performed any recon beforehand, and since
version.bind is
UDP-based, they can afford to send out the query without first
establishing
the connection.  So, in effect, what i am seeing is almost like a ping
sweep
for DNS servers.  The interesting thing is that i don't see the source
IP
return, no exploit, and no scan of additional IPs by the same source :

2001-05-28 15:38:42     157.158.66.54  ->  a.b.c.52
2001-05-28 23:24:53     211.72.169.14  ->  a.b.c.55
2001-05-27 08:42:48     203.146.184.8  ->  a.b.c.17
2001-05-27 18:01:54     213.29.194.62  ->  a.b.c.4
2001-05-25 01:23:01     213.42.50.224  ->  a.b.c.52
2001-05-23 13:32:45     210.99.96.107  ->  a.b.c.2
2001-05-22 06:20:34     209.196.46.130  ->  a.b.c.5
2001-05-22 16:06:12     62.110.55.180  ->  a.b.c.25
2001-05-22 16:16:37     209.245.0.125  ->  a.b.c.3
2001-05-13 01:40:56     203.87.131.9  ->  a.b.c.25
2001-05-13 05:10:39     195.76.10.128  ->  a.b.c.7

Any ideas/ correlations?

Gary Portnoy
Network Administrator
gportnoyat_private

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C

Next message: Jeff Peterson: "RE: Identify Method"
Previous message: Ingersoll, Jared: "RE: Identify Method"
Maybe in reply to: Portnoy, Gary: "version.bind request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 30 2001 - 10:16:44 PDT