From owner-freebsd-security  Tue Jan 30 14:47:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253])
	by hub.freebsd.org (Postfix) with ESMTP id A30EB37B6CB
	for <freebsd-security@freebsd.org>; Tue, 30 Jan 2001 14:46:53 -0800 (PST)
Received: (from dlacroix@localhost)
	by cowpie.acm.vt.edu (8.9.3/8.9.3) id RAA12443;
	Tue, 30 Jan 2001 17:45:04 -0500 (EST)
From: David La Croix <dlacroix@cowpie.acm.vt.edu>
Message-Id: <200101302245.RAA12443@cowpie.acm.vt.edu>
Subject: Bind: unapproved query (version.bind) Script kiddies?
To: freebsd-security@freebsd.org
Date: Tue, 30 Jan 2001 16:45:04 -0600 (CST)
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I just noticed the following in my logfiles: (/var/log/messages)

it was running Bind 8.2.2-

Jan 26 22:37:43 mildred named[41908]: unapproved query from [208.44.147.11].1584
 for "version.bind"
[repeat 23 more times from the same IP]

Jan 27 01:44:42 mildred named[41908]: unapproved query from [208.139.163.15].273
4 for "version.bind"
[repeat 32 more times from the same IP]

Could this be script kiddie activity?  This was before I upgraded to 8.2.3, 
and before the CERT alert came out.

What I don't get is why the unapproved query repeated so many times, within
(according to the timestamp) 3 seconds on both occasions.

I will note:  this activity goes back through about November of 2000, seemingly from different IP addresses.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message