From owner-freebsd-security Sun Jul 12 19:06:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA20629 for freebsd-security-outgoing; Sun, 12 Jul 1998 19:06:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA20613 for ; Sun, 12 Jul 1998 19:06:50 -0700 (PDT) (envelope-from maillist@oaks.com.au) Received: from bigbox (frankenputer.aussie.org [203.29.75.73]) by mail.aussie.org (8.9.0/8.9.0) with SMTP id MAA22491; Mon, 13 Jul 1998 12:05:19 +1000 (EST) Message-Id: <199807130205.MAA22491@mail.aussie.org> From: "Hallam Oaks P/L list account" To: "sthaug@nethelp.no" Cc: "freebsd-security@FreeBSD.ORG" Date: Mon, 13 Jul 1998 12:05:43 +1000 Reply-To: "Hallam Oaks P/L list account" X-Mailer: PMMail 98 Standard (2.01.1600) For Windows NT (4.0.1381;3) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: DNS zone xfers from random(?) sites Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >We've seen attacks that were directly correlated to zones files being >transferred. Fetch one zone file with a lot of delegations (12000 or so), >and then (a few minutes later) target all the name servers in this zone >file with pop3/imap/portmap/whatever attacks. Additionally, attempt to Hmmm ... this is interesting. Just a few days ago I saw this ... ipfw: 4110 Deny TCP 137.166.79.129:1852 139.130.xx.xxx:79 in via tun0 ipfw: 4110 Deny TCP 137.166.79.129:1852 139.130.xx.xxx:79 in via tun0 ipfw: 4110 Deny TCP 137.166.79.129:1858 139.130.xx.xxx:23 in via tun0 ipfw: 4110 Deny TCP 137.166.79.129:1858 139.130.xx.xxx:23 in via tun0 ipfw: 4110 Deny TCP 137.166.79.129:1865 139.130.xx.xxx:80 in via tun0 ipfw: 4110 Deny TCP 137.166.79.129:1865 139.130.xx.xxx:80 in via tun0 ipfw: 4110 Deny TCP 137.166.79.129:1878 139.130.xx.xxx:143 in via tun0 ipfw: 4110 Deny TCP 137.166.79.129:1878 139.130.xx.xxx:143 in via tun0 ipfw: 4110 Deny TCP 137.166.79.129:1896 139.130.xx.xxx:53 in via tun0 ipfw: 4110 Deny TCP 137.166.79.129:1896 139.130.xx.xxx:53 in via tun0 ipfw: 4110 Deny TCP 137.166.79.129:1904 139.130.xx.xxx:110 in via tun0 ipfw: 4110 Deny TCP 137.166.79.129:1904 139.130.xx.xxx:110 in via tun0 Exactly two of each. The total time between the first and last was no more than 40 seconds. Possibly generated by a program of some sort. No person outside our site has the authority to access our POP3, IMAP, or TELNET services. Does this pattern of port accesses seem familiar to anyone ? regards, -- Chris Hallam Oaks P/L To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message