Re: unidentified DNS attack

From: quentynat_private
Date: Wed Jan 09 2002 - 02:24:01 PST

  • Next message: Matt Scarborough: "Re: Attacks against IIS servers using ServU FTP"

    David Wilburn wrote:
    > 
    > On Sunday January 6th at about 12:18PM (EST), Snort picked up some
    > malicious traffic from a Chinese source address to one of our DNS
    
    
    
    I see these attacks quite a lot (twice a week is average). These is
    always a named version attempt, then an iquery, then the attack
    identified in your post.
    
    I presumed that it was an automated tool that was doing the rounds as
    the activity has been constant. When I have bothered to investigate
    further I have found that the box launching the attacks is all ways a
    linux box running 2.2.14 or so (what nmap's os detection reports). They
    all look like default RH 6.2 boxes with it all hanging out :o). Note
    that my sample size for the above observations is very small (4-6 boxes
    - I have only investigated when I have time) so may not all ways be
    true.
    
    Most of the boxes that I have seen have also been in asia (esp china)
    somewhere so reporting the activity may be futile.
    
    
    Q
    
    -- 
    #####################
    Quentyn Taylor
    Sysadmin - Fotango
    #####################
    Any research done on how to efficiently use computers has been long lost
    in the mad rush to
    upgrade systems to do things that aren't needed by people who don't
    understand what they are
    really supposed to do with them. 
       Graham Reed
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 08:27:58 PST