Jon Nelson on Mon, 5 Feb 2001 13:20:19 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Fwd: Re: named version probes



Approved-By: flynn@SECURITYFOCUS.COM
Delivered-To: focus-linux@lists.securityfocus.com
Delivered-To: FOCUS-LINUX@SECURITYFOCUS.COM
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Date:         Mon, 5 Feb 2001 08:35:08 -0800
Reply-To: Focus on Linux Mailing List <FOCUS-LINUX@SECURITYFOCUS.COM>
Sender: Focus on Linux Mailing List <FOCUS-LINUX@SECURITYFOCUS.COM>
From: Avery Payne <apayne@PCFRUIT.COM>
Subject:      Re: named version probes
To: FOCUS-LINUX@SECURITYFOCUS.COM

> G'day all,
>                Anyone else picking up named version probes. The snort logs
> have picked up two named version probes doing the whole
> Subnet that my mates ISP owns. It look likes  they doing on big scale.
> Roy

Sure enough, I have hits at work (no hits yet on my @home, knock on wood).
Seems that "they" are spanning large swaths.  Everyone needs to get the word
out to those who haven't heard about this exploit and brace themselves for
impact in a few weeks, when presumably an exploit tool will be released. A
snippet follows from my logs:

--- Cut Here ---

Feb  2 12:23:05 pcfgw snort[5004]: MISC-DNS-version-query:
209.203.222.5:53 -> 209.95.32.113:53
Feb  2 12:23:17 pcfgw snort[5004]: MISC-DNS-version-query:
209.203.222.5:53 -> 209.95.32.116:53
Feb  2 12:23:21 pcfgw snort[5004]: MISC-DNS-version-query:
209.203.222.5:53 -> 209.95.32.117:53
Feb  2 12:23:25 pcfgw snort[5004]: MISC-DNS-version-query:
209.203.222.5:53 -> 209.95.32.118:53

--- Cut Here ---

Of course, I've upgraded my named at work already.

Trooper Jon S. NELSON Pennsylvania State Police Computer Crimes Unit Office: 610-344-4471 Page: 866-284-1603 (Toll Free) Nextel: 610-637-0707 (Private ID 8777) Alt. email: jnelson@psp.state.pa.us



______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug