From owner-freebsd-questions  Fri Aug  7 10:00:50 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA07442
          for freebsd-questions-outgoing; Fri, 7 Aug 1998 10:00:50 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from amanda.qmpgmc.ac.uk ([194.81.5.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA07270
          for <freebsd-questions@freebsd.org>; Fri, 7 Aug 1998 10:00:01 -0700 (PDT)
          (envelope-from gquinlan@qmpgmc.ac.uk)
Received:  from dns0.qmpgmc.ac.uk by amanda.qmpgmc.ac.uk (UUNET Amanda using sendmail V8.9.1)
	id RAA05579; Fri, 7 Aug 1998 17:57:39 +0100 (BST)
Received:  from greg.qmpgmc.ac.uk (haem_pc) by dns0.qmpgmc.ac.uk (5.x/QMPGMC simple 1.27)
	id AA12714; Fri, 7 Aug 1998 18:09:27 +0100
Reply-To: "Greg Quinlan" <gquinlan@qmpgmc.ac.uk>
From: "Greg Quinlan" <gquinlan@qmpgmc.ac.uk>
To: "Greg Quinlan" <gquinlan@qmpgmc.ac.uk>, <freebsd-questions@FreeBSD.ORG>
Subject: Re: MSCAN - named - Vulnerability
Date: Fri, 7 Aug 1998 17:59:02 +0100
Message-Id: <01bdc224$ad8f41e0$380051c2@greg.qmpgmc.ac.uk>
Mime-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0043_01BDC22D.0F53A9E0"
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

This is a multi-part message in MIME format.

------=_NextPart_000_0043_01BDC22D.0F53A9E0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Further to the message regarding MSCAN here is a transcipt from the =
system log of someone overloading my name server and trying to hack my =
system. If you are wondering who it was:

cauchy.korea.ac.kr.

Here is were named fell over.


Aug  6 02:00:03 dns1 named[155]: named.3.81.194.rev: WARNING SOA retry =
value is less then maintainance interval (300 < 900)
Aug  6 02:00:03 dns1 named[155]: named.4.81.194.rev: WARNING SOA retry =
value is less then maintainance interval (300 < 900)
Aug  6 02:00:03 dns1 named[155]: named.5.81.194.rev: WARNING SOA retry =
value is less then maintainance interval (300 < 900)
Aug  6 02:00:03 dns1 named[155]: named.6.81.194.rev: WARNING SOA retry =
value is less then maintainance interval (300 < 900)
Aug  6 02:00:03 dns1 named[155]: named.7.81.194.rev: WARNING SOA retry =
value is less then maintainance interval (300 < 900)
Aug  6 02:00:03 dns1 named[155]: Ready to answer queries.

Here is where they tried to hack something else?=20
Aug  6 02:53:54 dns1 popper[1292]: (v2.4b2) Unable to get canonical name =
of client, err =3D 9
Aug  6 02:53:54 dns1 popper[1292]: @[164.138.210.56]: -ERR POP EOF =
received
Aug  6 02:53:58 dns1 popper[1294]: (v2.4b2) Unable to get canonical name =
of client, err =3D 9
Aug  6 02:53:58 dns1 popper[1294]: @[164.138.210.56]: -ERR POP EOF =
received
Aug  6 02:55:06 dns1 popper[1302]: (v2.4b2) Unable to get canonical name =
of client, err =3D 9
Aug  6 02:55:06 dns1 popper[1302]: @[164.138.210.56]: -ERR POP EOF =
received
Aug  6 02:55:10 dns1 popper[1304]: (v2.4b2) Unable to get canonical name =
of client, err =3D 9
Aug  6 02:55:10 dns1 popper[1304]: @[164.138.210.56]: -ERR POP EOF =
received
Aug  6 02:59:36 dns1 popper[1310]: (v2.4b2) Unable to get canonical name =
of client, err =3D 9
Aug  6 02:59:36 dns1 popper[1310]: @[164.138.210.56]: -ERR POP EOF =
received
Aug  6 02:59:43 dns1 popper[1312]: (v2.4b2) Unable to get canonical name =
of client, err =3D 9
Aug  6 02:59:43 dns1 popper[1312]: @[164.138.210.56]: -ERR POP EOF =
received

Why do people bother?

As If system administrators have not got enough to do!

I'm now running bind 4.9.7 from http://www.isc.org/bind.html



------=_NextPart_000_0043_01BDC22D.0F53A9E0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type><!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 =
HTML//EN"><!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<META content=3D'"MSHTML 4.71.1712.3"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000><FONT size=3D3>Further to the message =
regarding MSCAN=20
here is a transcipt from the system log of someone overloading my name =
server=20
and trying to hack my system. </FONT></FONT><FONT size=3D3>If you are =
wondering=20
who it was:</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV>cauchy.korea.ac.kr.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Here is were named fell over.<BR>&nbsp;</DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#000000 size=3D2><FONT size=3D1>Aug&nbsp; 6 02:00:03 =
dns1=20
named[155]: named.3.81.194.rev: WARNING SOA retry value is less then=20
maintainance interval (300 &lt; 900)<BR>Aug&nbsp; 6 02:00:03 dns1 =
named[155]:=20
named.4.81.194.rev: WARNING SOA retry value is less then maintainance =
interval=20
(300 &lt; 900)<BR>Aug&nbsp; 6 02:00:03 dns1 named[155]: =
named.5.81.194.rev:=20
WARNING SOA retry value is less then maintainance interval (300 &lt;=20
900)<BR>Aug&nbsp; 6 02:00:03 dns1 named[155]: named.6.81.194.rev: =
WARNING SOA=20
retry value is less then maintainance interval (300 &lt; =
900)<BR>Aug&nbsp; 6=20
02:00:03 dns1 named[155]: named.7.81.194.rev: WARNING SOA retry value is =
less=20
then maintainance interval (300 &lt; 900)<BR>Aug&nbsp; 6 02:00:03 dns1=20
named[155]: Ready to answer queries.</FONT></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#000000 size=3D2><FONT =
size=3D1></FONT></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#000000 size=3D2><FONT size=3D1><FONT size=3D3>Here =
is where they=20
tried to hack something else?</FONT> <BR>Aug&nbsp; 6 02:53:54 dns1 =
popper[1292]:=20
(v2.4b2) Unable to get canonical name of client, err =3D 9<BR>Aug&nbsp; =
6 02:53:54=20
dns1 popper[1292]: @[164.138.210.56]: -ERR POP EOF received<BR>Aug&nbsp; =
6=20
02:53:58 dns1 popper[1294]: (v2.4b2) Unable to get canonical name of =
client, err=20
=3D 9<BR>Aug&nbsp; 6 02:53:58 dns1 popper[1294]: @[164.138.210.56]: -ERR =
POP EOF=20
received<BR>Aug&nbsp; 6 02:55:06 dns1 popper[1302]: (v2.4b2) Unable to =
get=20
canonical name of client, err =3D 9<BR>Aug&nbsp; 6 02:55:06 dns1 =
popper[1302]:=20
@[164.138.210.56]: -ERR POP EOF received<BR>Aug&nbsp; 6 02:55:10 dns1=20
popper[1304]: (v2.4b2) Unable to get canonical name of client, err =3D=20
9<BR>Aug&nbsp; 6 02:55:10 dns1 popper[1304]: @[164.138.210.56]: -ERR POP =
EOF=20
received<BR>Aug&nbsp; 6 02:59:36 dns1 popper[1310]: (v2.4b2) Unable to =
get=20
canonical name of client, err =3D 9<BR>Aug&nbsp; 6 02:59:36 dns1 =
popper[1310]:=20
@[164.138.210.56]: -ERR POP EOF received<BR>Aug&nbsp; 6 02:59:43 dns1=20
popper[1312]: (v2.4b2) Unable to get canonical name of client, err =3D=20
9<BR>Aug&nbsp; 6 02:59:43 dns1 popper[1312]: @[164.138.210.56]: -ERR POP =
EOF=20
received<BR></FONT></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#000000 face=3D"" size=3D3>Why do people =
bother?</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV>As If system administrators have not got enough to do!</DIV>
<DIV>&nbsp;</DIV>
<DIV>I'm now running bind 4.9.7 from <A=20
href=3D"http://www.isc.org/bind.html">http://www.isc.org/bind.html</A></D=
IV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0043_01BDC22D.0F53A9E0--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message