RE: Bind: unapproved query (version.bind) Script = kiddies?

From owner-freebsd-security Tue Jan 30 14:52:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 675CC37B6B7 for ; Tue, 30 Jan 2001 14:52:10 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Tue, 30 Jan 2001 14:52:09 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0243C6@goofy.epylon.lan> From: Jason DiCioccio To: 'David La Croix' , freebsd-security@freebsd.org Subject: RE: Bind: unapproved query (version.bind) Script kiddies? Date: Tue, 30 Jan 2001 14:52:00 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C08B0F.41411B10" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C08B0F.41411B10 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C08B0F.41411B10" ------_=_NextPart_001_01C08B0F.41411B10 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would say it definitely is ;) - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: David La Croix [mailto:dlacroix@cowpie.acm.vt.edu] Sent: Tuesday, January 30, 2001 2:45 PM To: freebsd-security@freebsd.org Subject: Bind: unapproved query (version.bind) Script kiddies? I just noticed the following in my logfiles: (/var/log/messages) it was running Bind 8.2.2- Jan 26 22:37:43 mildred named[41908]: unapproved query from [208.44.147.11].1584 for "version.bind" [repeat 23 more times from the same IP] Jan 27 01:44:42 mildred named[41908]: unapproved query from [208.139.163.15].273 4 for "version.bind" [repeat 32 more times from the same IP] Could this be script kiddie activity? This was before I upgraded to 8.2.3, and before the CERT alert came out. What I don't get is why the unapproved query repeated so many times, within (according to the timestamp) 3 seconds on both occasions. I will note: this activity goes back through about November of 2000, seemingly from different IP addresses. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOndF+lCmU62pemyaEQKsYACfcnTlUi0GdcPNeUKQjUH9xTmuEAIAoN5d E4BOnNGyRLlPVJpAirsY7PbT =1Vpf -----END PGP SIGNATURE----- ------_=_NextPart_001_01C08B0F.41411B10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: Bind: unapproved query (version.bind) Script = kiddies?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would say it definitely is ;)

- -------
Jason DiCioccio
Evil Genius
Unix BOFH

mailto:jasond@epylon.com

415-593-2761 &nb= sp; Direct & Fax
415-593-2900 &nb= sp; Main

Epylon Corporation
645 Harrison Street, Suite 200
San Francisco, CA 94107
www.epylon.com

BSD is for people who love Unix -
Linux is for people who hate Microsoft

- -----Original Message-----
From: David La Croix [mailto:dlacroix@cowpie.acm.vt= .edu]
Sent: Tuesday, January 30, 2001 2:45 PM
To: freebsd-security@freebsd.org
Subject: Bind: unapproved query (version.bind) = Script kiddies?

I just noticed the following in my logfiles: = (/var/log/messages)

it was running Bind 8.2.2-

Jan 26 22:37:43 mildred named[41908]: unapproved = query from
[208.44.147.11].1584
for "version.bind"
[repeat 23 more times from the same IP]

Jan 27 01:44:42 mildred named[41908]: unapproved = query from
[208.139.163.15].273
4 for "version.bind"
[repeat 32 more times from the same IP]

Could this be script kiddie activity? This was = before I upgraded to
8.2.3,
and before the CERT alert came out.

What I don't get is why the unapproved query repeated = so many times,
within
(according to the timestamp) 3 seconds on both = occasions.

I will note: this activity goes back through = about November of 2000,
seemingly from different IP addresses.

To Unsubscribe: send mail to = majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the = body of the message

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use = <http://www.pgp.com>

iQA/AwUBOndF+lCmU62pemyaEQKsYACfcnTlUi0GdcPNeUKQjUH9xTmuEAIAoN5= d
E4BOnNGyRLlPVJpAirsY7PbT
=3D1Vpf
-----END PGP SIGNATURE-----

------_=_NextPart_001_01C08B0F.41411B10-- ------_=_NextPart_000_01C08B0F.41411B10 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C08B0F.41411B10-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message