|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Yotam Rubin (yotam
MAKIF.OMER.K12.IL)Date: Sun Mar 25 2001 - 06:17:14 CST
Hello,
My bind is configured to only reply to queries which refer to the zones which
are under my control. I've been receiving a curiously large number of queries
to the "." domain from hosts which I have never seen before.
A more peculiar thing is that many of the offending hosts run ssh
and https alone. Following are the log entries for some of the denied queries:
Mar 19 05:34:18 linux named[24032]: denied query from [216.33.87.10].54947 for "Mar 19 05:55:42 linux named[24032]: denied query from [216.33.87.10].55501 for "Mar 19 06:01:25 linux named[24032]: denied query from [216.33.87.10].55639 for "Mar 19 06:03:06 linux named[24032]: denied query from [216.33.87.10].55692 for "Mar 19 06:06:11 linux named[24032]: denied query from [216.33.87.9].56046 for ".Mar 24 19:09:39 linux named[24032]: denied query from [63.209.29.136].20196 for
.........
This goes on. I've been able to to identify at least nine unique hosts which
attempted these queries: 167.8.29.52, 206.251.19.88, 209.67.29.8, 216.33.87.8,
216.33.87.10, 63.209.29.136, 208.185.109.155, 167.8.29.91 and 64.14.77.2.
Results of the portscan against these hosts can be found at:
http://192.117.130.34/Fendor/bind-scan-results
Any ideas as to the nature of these queries and the strange pattern which
these hosts exhibit?
Regards, Yotam Rubin
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]