From owner-freebsd-security Wed Jan 31 0:43: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id E5E3637B65D for ; Wed, 31 Jan 2001 00:42:39 -0800 (PST) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id AAA17048; Wed, 31 Jan 2001 00:42:34 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200101310842.AAA17048@gndrsh.dnsmgr.net> Subject: Re: Bind: unapproved query (version.bind) Script kiddies? In-Reply-To: <200101302245.RAA12443@cowpie.acm.vt.edu> from David La Croix at "Jan 30, 2001 04:45:04 pm" To: dlacroix@cowpie.acm.vt.edu (David La Croix) Date: Wed, 31 Jan 2001 00:42:34 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Given I just saw 208.44.147.11 pile up in my logfiles I can say we have an active script kiddy. He is seaching for broken named's and hitting large areas of ip space (this is just one burst in my logs:) /var/log/security.0.gz:Jan 30 07:45:46 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3120 X.X.X.0:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:46 br1 /kernel: ipfw: 10532 Accept TCP 208.44.147.11:3124 X.X.X.4:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:48 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3501 X.X.X.127:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:48 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3584 X.X.X.159:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:48 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3585 X.X.X.160:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3717 X.X.X.191:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3718 X.X.X.192:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3901 X.X.X.223:53 in via ng0 /var/log/security.0.gz:Jan 30 07:45:49 br1 /kernel: ipfw: 650 Deny TCP 208.44.147.11:3902 X.X.X.224:53 in via ng0 > I just noticed the following in my logfiles: (/var/log/messages) > > it was running Bind 8.2.2- > > Jan 26 22:37:43 mildred named[41908]: unapproved query from [208.44.147.11].1584 > for "version.bind" > [repeat 23 more times from the same IP] > > Jan 27 01:44:42 mildred named[41908]: unapproved query from [208.139.163.15].273 > 4 for "version.bind" > [repeat 32 more times from the same IP] > > Could this be script kiddie activity? This was before I upgraded to 8.2.3, > and before the CERT alert came out. > > What I don't get is why the unapproved query repeated so many times, within > (according to the timestamp) 3 seconds on both occasions. > > I will note: this activity goes back through about November of 2000, seemingly from different IP addresses. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message