Fwd: Re: [PLUG] Fwd: Re: named version probes

Beldon on Mon, 5 Feb 2001 22:57:36 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Fwd: Re: [PLUG] Fwd: Re: named version probes

From: Beldon <beldon@speakeasy.org>

To: "Plug List" <plug@lists.nothinbut.net>

Subject: Fwd: Re: [PLUG] Fwd: Re: named version probes

Date: Mon, 5 Feb 2001 22:59:50 -0500

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

A friend of mine is seeing a lot of the following. Anyone got any ideas? (He's on @home, if that helps). ---------- Forwarded Message ---------- Subject: Re: [PLUG] Fwd: Re: named version probes Date: Mon, 5 Feb 2001 22:56:24 -0500 From: "Marshall Buck" <marshall.buck@home.com> To: "Beldon" <beldon@speakeasy.org> No this is what I am seeing on the Linksys Box Incoming Log Table Source IP & Destination Port Number 172.168.226.189 27374 24.222.21.73 111 172.168.226.189 27374 24.27.252.222 111 165.247.31.174 23 165.247.31.174 23 208.242.12.19 500 208.242.12.19 500 208.242.12.19 500 208.242.12.19 500 208.242.12.19 500 208.242.12.19 500 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 138.192.77.84 7900 138.192.77.84 7900 138.192.77.84 7900 138.192.77.84 7900 138.192.77.84 7900 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 24.64.221.120 111 24.64.221.120 111 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 209.191.211.130 111 212.211.14.6 31337 211.233.18.196 21 211.233.18.196 21 211.233.18.196 21 24.200.63.94 21 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 212.120.89.68 111 63.204.241.249 111 63.204.241.249 111 63.102.65.181 111 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 24.0.0.203 119 24.8.89.153 27374 24.8.89.153 27374 207.200.75.22 1025 207.200.75.22 1025 207.200.75.22 1025 207.200.75.22 1025 207.200.75.22 1025 ----- Original Message ----- From: "Beldon" <beldon@speakeasy.org> To: "Marshall Buck" <marshall.buck@home.com> Sent: Monday, February 05, 2001 5:52 PM Subject: Fwd: [PLUG] Fwd: Re: named version probes Is this what you have been seeing? ---------- Forwarded Message ---------- Subject: [PLUG] Fwd: Re: named version probes Date: Mon, 05 Feb 2001 13:12:23 -0500 From: Jon Nelson <bigfish@enter.net> To: plug@lists.phillylinux.org >Approved-By: flynn@SECURITYFOCUS.COM >Delivered-To: focus-linux@lists.securityfocus.com >Delivered-To: FOCUS-LINUX@SECURITYFOCUS.COM >X-Mailer: Microsoft Outlook Express 5.50.4133.2400 >Date: Mon, 5 Feb 2001 08:35:08 -0800 >Reply-To: Focus on Linux Mailing List <FOCUS-LINUX@SECURITYFOCUS.COM> >Sender: Focus on Linux Mailing List <FOCUS-LINUX@SECURITYFOCUS.COM> >From: Avery Payne <apayne@PCFRUIT.COM> >Subject: Re: named version probes >To: FOCUS-LINUX@SECURITYFOCUS.COM > > > G'day all, > > Anyone else picking up named version probes. The snort logs > > have picked up two named version probes doing the whole > > Subnet that my mates ISP owns. It look likes they doing on big scale. > > Roy > >Sure enough, I have hits at work (no hits yet on my @home, knock on wood). >Seems that "they" are spanning large swaths. Everyone needs to get the word >out to those who haven't heard about this exploit and brace themselves for >impact in a few weeks, when presumably an exploit tool will be released. A >snippet follows from my logs: > >--- Cut Here --- > >Feb 2 12:23:05 pcfgw snort[5004]: MISC-DNS-version-query: >209.203.222.5:53 -> 209.95.32.113:53 >Feb 2 12:23:17 pcfgw snort[5004]: MISC-DNS-version-query: >209.203.222.5:53 -> 209.95.32.116:53 >Feb 2 12:23:21 pcfgw snort[5004]: MISC-DNS-version-query: >209.203.222.5:53 -> 209.95.32.117:53 >Feb 2 12:23:25 pcfgw snort[5004]: MISC-DNS-version-query: >209.203.222.5:53 -> 209.95.32.118:53 > >--- Cut Here --- > >Of course, I've upgraded my named at work already. Trooper Jon S. NELSON Pennsylvania State Police Computer Crimes Unit Office: 610-344-4471 Page: 866-284-1603 (Toll Free) Nextel: 610-637-0707 (Private ID 8777) Alt. email: jnelson@psp.state.pa.us ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug ------------------------------------------------------- -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT/MU/CS/PA d s:++ a C++ UA$ P+++ L++>++++ E W++ N++ o-- K w--- O- M+ V-- PS+ PE Y+ PGP+ t+ 5-- X- R* !tv b++ DI++ D+ G++ e+ h--- r+++ y++++ -----END GEEK CODE BLOCK------- For translation: http://www.kluge.net/ungeek.html ------------------------------------------------------- -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT/MU/CS/PA d s:++ a C++ UA$ P+++ L++>++++ E W++ N++ o-- K w--- O- M+ V-- PS+ PE Y+ PGP+ t+ 5-- X- R* !tv b++ DI++ D+ G++ e+ h--- r+++ y++++ -----END GEEK CODE BLOCK------- For translation: http://www.kluge.net/ungeek.html ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

Follow-Ups:

Re: Fwd: Re: [PLUG] Fwd: Re: named version probes
From: Chad Glynn <cytroic@netaxs.com>

Prev by Date: Re: [PLUG] convert ps to b/w

Next by Date: Re: Fwd: Re: [PLUG] Fwd: Re: named version probes

Previous by thread: [PLUG] Fwd: Re: named version probes

Next by thread: Re: Fwd: Re: [PLUG] Fwd: Re: named version probes

Index(es):

Date

Thread