[NTLUG:Discuss] what is going on?

Victor Brilon victor at vail.net
Thu May 24 13:02:40 CDT 2001 

The address that tried doing this resolves to mirror.image.com. If you go
look at this page: http://www.mirror-image.com/services/overview.html,
you'll see what's going on.

Mirror-Image apparently uses tools designed to find the optimal path to the
clients requesting services. Microsoft (among many other sites) uses this
technology on their site as well. In theory, these tools track the optimum
path back to the client for faster content delivery.

Unfortunately, the way they track the path back is by hitting port 53 on the
requesting machine and seeing how long the ACK or NACK takes to comes back
(ok, that's a very simplified explanation but it'll serve for the purposes
of this discussion). Why port 53? Probably because it's the one incoming
port that most firewalls don't block. Check out the recent archives of the
Bugtraq and SecurityFocus mailing lists for a *much* more detailed
discussion of what exactly is going on. Bottom line is that while it's
annoying it's not malicious.

Victor

-----Original Message-----
From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
Of Jay Urish
Sent: Friday, May 25, 2001 11:24 AM
To: discuss at ntlug.org
Subject: [NTLUG:Discuss] what is going on?


Hey guys,
One two of my servers I have been getting this stuff coming through the log
checker..

I know port 53 is the DNS port, and I suspect some one is trying to
compromise BIND.

Here is a snip...

Any ideas?

----
Security Violations
=-=-=-=-=-=-=-=-=-=
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
209.249.97.40:26910 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=243 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
64.37.200.46:12515 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
216.35.167.58:62709 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
216.33.35.214:31892 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=241 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
63.209.147.246:47883 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
64.55.37.26:38798 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=238 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
216.220.39.42:16839 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=240 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
207.55.138.206:35411 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
64.14.200.154:12469 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=246 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
208.184.162.71:37904 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=238 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
216.34.68.2:50424 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
64.78.235.14:15254 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=241 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
62.23.80.2:18198 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=226 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
212.78.160.237:61467 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=229 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
62.26.119.34:32240 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=240 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
64.56.174.186:35938 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=243 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
212.23.225.98:32064 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=229 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
194.213.64.150:25993 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=235 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
202.139.133.129:57182 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=242 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
203.194.166.182:22584 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=239 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
203.208.128.70:43794 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=234 (#78)
May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
194.205.125.26:37377 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=241 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
209.249.97.40:26910 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=243 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
216.35.167.58:62709 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
64.37.200.46:12515 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
63.209.147.246:47883 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
64.55.37.26:38798 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=238 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
216.220.39.42:16839 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=240 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
216.33.35.214:31892 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=241 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
208.184.162.71:37904 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=238 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
64.14.200.154:12469 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=246 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
207.55.138.206:35411 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
216.34.68.2:50424 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
62.23.80.2:18198 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=226 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
64.78.235.14:15254 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=241 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
212.78.160.237:61467 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=229 (#78)
May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
62.26.119.34:32240 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=240 (#78)
----



Jay Urish
Your Linux Guru.
Sendmail/Bind/Apache/DHCPD/IPchains/Samba expertise all in one place!
www.yourlinuxguru.com

_______________________________________________
http://www.ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list