Approved-By: flynn@SECURITYFOCUS.COM
Delivered-To: focus-linux@lists.securityfocus.com
Delivered-To: FOCUS-LINUX@SECURITYFOCUS.COM
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Date: Mon, 5 Feb 2001 08:35:08 -0800
Reply-To: Focus on Linux Mailing List <FOCUS-LINUX@SECURITYFOCUS.COM>
Sender: Focus on Linux Mailing List <FOCUS-LINUX@SECURITYFOCUS.COM>
From: Avery Payne <apayne@PCFRUIT.COM>
Subject: Re: named version probes
To: FOCUS-LINUX@SECURITYFOCUS.COM
> G'day all,
> Anyone else picking up named version probes. The snort logs
> have picked up two named version probes doing the whole
> Subnet that my mates ISP owns. It look likes they doing on big scale.
> Roy
Sure enough, I have hits at work (no hits yet on my @home, knock on wood).
Seems that "they" are spanning large swaths. Everyone needs to get the word
out to those who haven't heard about this exploit and brace themselves for
impact in a few weeks, when presumably an exploit tool will be released. A
snippet follows from my logs:
--- Cut Here ---
Feb 2 12:23:05 pcfgw snort[5004]: MISC-DNS-version-query:
209.203.222.5:53 -> 209.95.32.113:53
Feb 2 12:23:17 pcfgw snort[5004]: MISC-DNS-version-query:
209.203.222.5:53 -> 209.95.32.116:53
Feb 2 12:23:21 pcfgw snort[5004]: MISC-DNS-version-query:
209.203.222.5:53 -> 209.95.32.117:53
Feb 2 12:23:25 pcfgw snort[5004]: MISC-DNS-version-query:
209.203.222.5:53 -> 209.95.32.118:53
--- Cut Here ---
Of course, I've upgraded my named at work already.