[NTLUG:Discuss] what is going on?

Jay Urish j at yourlinuxguru.com
Fri May 25 13:10:43 CDT 2001


I still wonder if it isn't that DNS worm thats floating around..

I'm getting to many rejected hits.

At 01:02 PM 5/24/2001 -0500, you wrote:
>The address that tried doing this resolves to mirror.image.com. If you go
>look at this page: http://www.mirror-image.com/services/overview.html,
>you'll see what's going on.
>
>Mirror-Image apparently uses tools designed to find the optimal path to the
>clients requesting services. Microsoft (among many other sites) uses this
>technology on their site as well. In theory, these tools track the optimum
>path back to the client for faster content delivery.
>
>Unfortunately, the way they track the path back is by hitting port 53 on the
>requesting machine and seeing how long the ACK or NACK takes to comes back
>(ok, that's a very simplified explanation but it'll serve for the purposes
>of this discussion). Why port 53? Probably because it's the one incoming
>port that most firewalls don't block. Check out the recent archives of the
>Bugtraq and SecurityFocus mailing lists for a *much* more detailed
>discussion of what exactly is going on. Bottom line is that while it's
>annoying it's not malicious.
>
>Victor
>
>-----Original Message-----
>From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
>Of Jay Urish
>Sent: Friday, May 25, 2001 11:24 AM
>To: discuss at ntlug.org
>Subject: [NTLUG:Discuss] what is going on?
>
>
>Hey guys,
>One two of my servers I have been getting this stuff coming through the log
>checker..
>
>I know port 53 is the DNS port, and I suspect some one is trying to
>compromise BIND.
>
>Here is a snip...
>
>Any ideas?
>
>----
>Security Violations
>=-=-=-=-=-=-=-=-=-=
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>209.249.97.40:26910 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=243 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>64.37.200.46:12515 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>216.35.167.58:62709 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>216.33.35.214:31892 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=241 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>63.209.147.246:47883 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>64.55.37.26:38798 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=238 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>216.220.39.42:16839 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=240 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>207.55.138.206:35411 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>64.14.200.154:12469 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=246 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>208.184.162.71:37904 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=238 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>216.34.68.2:50424 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>64.78.235.14:15254 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=241 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>62.23.80.2:18198 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=226 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>212.78.160.237:61467 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=229 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>62.26.119.34:32240 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=240 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>64.56.174.186:35938 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=243 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>212.23.225.98:32064 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=229 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>194.213.64.150:25993 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=235 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>202.139.133.129:57182 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=242 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>203.194.166.182:22584 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=239 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>203.208.128.70:43794 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=234 (#78)
>May 23 05:04:24 ns kernel: Packet log: input DENY eth0 PROTO=6
>194.205.125.26:37377 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=241 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>209.249.97.40:26910 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=243 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>216.35.167.58:62709 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>64.37.200.46:12515 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>63.209.147.246:47883 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=247 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>64.55.37.26:38798 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=238 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>216.220.39.42:16839 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=240 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>216.33.35.214:31892 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=241 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>208.184.162.71:37904 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=238 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>64.14.200.154:12469 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=246 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>207.55.138.206:35411 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>216.34.68.2:50424 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>62.23.80.2:18198 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=226 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>64.78.235.14:15254 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=241 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>212.78.160.237:61467 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=229 (#78)
>May 23 05:04:26 ns kernel: Packet log: input DENY eth0 PROTO=6
>62.26.119.34:32240 65.67.99.225:53 L=44 S=0x00 I=0 F=0x0000 T=240 (#78)
>----
>
>
>
>Jay Urish
>Your Linux Guru.
>Sendmail/Bind/Apache/DHCPD/IPchains/Samba expertise all in one place!
>www.yourlinuxguru.com
>
>_______________________________________________
>http://www.ntlug.org/mailman/listinfo/discuss
>
>_______________________________________________
>http://www.ntlug.org/mailman/listinfo/discuss


Jay Urish
Your Linux Guru.
Sendmail/Bind/Apache/DHCPD/IPchains/Samba expertise all in one place!
www.yourlinuxguru.com




More information about the Discuss mailing list