David Wilburn wrote: > > On Sunday January 6th at about 12:18PM (EST), Snort picked up some > malicious traffic from a Chinese source address to one of our DNS I see these attacks quite a lot (twice a week is average). These is always a named version attempt, then an iquery, then the attack identified in your post. I presumed that it was an automated tool that was doing the rounds as the activity has been constant. When I have bothered to investigate further I have found that the box launching the attacks is all ways a linux box running 2.2.14 or so (what nmap's os detection reports). They all look like default RH 6.2 boxes with it all hanging out :o). Note that my sample size for the above observations is very small (4-6 boxes - I have only investigated when I have time) so may not all ways be true. Most of the boxes that I have seen have also been in asia (esp china) somewhere so reporting the activity may be futile. Q -- ##################### Quentyn Taylor Sysadmin - Fotango ##################### Any research done on how to efficiently use computers has been long lost in the mad rush to upgrade systems to do things that aren't needed by people who don't understand what they are really supposed to do with them. Graham Reed ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 08:27:58 PST