|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: Fwd: Re: [PLUG] Fwd: Re: named version probes
|
ignore the 24.0.0.203 address. I get scanned all the time.
but wouldn't named version probes happen on the named port, port 53?
Big Brother Is Watching >> nslookup 24.0.0.203
Server: ns1.netaxs.com
Address: 207.106.1.2
Name: authorized-scan1.security.home.net
Address: 24.0.0.203
On Mon, 5 Feb 2001, Beldon wrote:
> A friend of mine is seeing a lot of the following. Anyone got any ideas?
>
> (He's on @home, if that helps).
>
> ---------- Forwarded Message ----------
> Subject: Re: [PLUG] Fwd: Re: named version probes
> Date: Mon, 5 Feb 2001 22:56:24 -0500
> From: "Marshall Buck" <marshall.buck@home.com>
> To: "Beldon" <beldon@speakeasy.org>
>
>
> No this is what I am seeing on the Linksys Box
>
>
> Incoming Log Table
> Source IP & Destination Port Number
> 172.168.226.189 27374
> 24.222.21.73 111
> 172.168.226.189 27374
> 24.27.252.222 111
> 165.247.31.174 23
> 165.247.31.174 23
> 208.242.12.19 500
> 208.242.12.19 500
> 208.242.12.19 500
> 208.242.12.19 500
> 208.242.12.19 500
> 208.242.12.19 500
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 138.192.77.84 7900
> 138.192.77.84 7900
> 138.192.77.84 7900
> 138.192.77.84 7900
> 138.192.77.84 7900
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 24.64.221.120 111
> 24.64.221.120 111
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 209.191.211.130 111
> 212.211.14.6 31337
> 211.233.18.196 21
> 211.233.18.196 21
> 211.233.18.196 21
> 24.200.63.94 21
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 212.120.89.68 111
> 63.204.241.249 111
> 63.204.241.249 111
> 63.102.65.181 111
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 24.0.0.203 119
> 24.8.89.153 27374
> 24.8.89.153 27374
> 207.200.75.22 1025
> 207.200.75.22 1025
> 207.200.75.22 1025
> 207.200.75.22 1025
> 207.200.75.22 1025
>
> ----- Original Message -----
> From: "Beldon" <beldon@speakeasy.org>
> To: "Marshall Buck" <marshall.buck@home.com>
> Sent: Monday, February 05, 2001 5:52 PM
> Subject: Fwd: [PLUG] Fwd: Re: named version probes
>
>
> Is this what you have been seeing?
>
> ---------- Forwarded Message ----------
> Subject: [PLUG] Fwd: Re: named version probes
> Date: Mon, 05 Feb 2001 13:12:23 -0500
> From: Jon Nelson <bigfish@enter.net>
> To: plug@lists.phillylinux.org
>
>
> >Approved-By: flynn@SECURITYFOCUS.COM
> >Delivered-To: focus-linux@lists.securityfocus.com
> >Delivered-To: FOCUS-LINUX@SECURITYFOCUS.COM
> >X-Mailer: Microsoft Outlook Express 5.50.4133.2400
> >Date: Mon, 5 Feb 2001 08:35:08 -0800
> >Reply-To: Focus on Linux Mailing List <FOCUS-LINUX@SECURITYFOCUS.COM>
> >Sender: Focus on Linux Mailing List <FOCUS-LINUX@SECURITYFOCUS.COM>
> >From: Avery Payne <apayne@PCFRUIT.COM>
> >Subject: Re: named version probes
> >To: FOCUS-LINUX@SECURITYFOCUS.COM
> >
> > > G'day all,
> > > Anyone else picking up named version probes. The snort
> logs
> > > have picked up two named version probes doing the whole
> > > Subnet that my mates ISP owns. It look likes they doing on big scale.
> > > Roy
> >
> >Sure enough, I have hits at work (no hits yet on my @home, knock on wood).
> >Seems that "they" are spanning large swaths. Everyone needs to get the
> word
> >out to those who haven't heard about this exploit and brace themselves for
> >impact in a few weeks, when presumably an exploit tool will be released. A
> >snippet follows from my logs:
> >
> >--- Cut Here ---
> >
> >Feb 2 12:23:05 pcfgw snort[5004]: MISC-DNS-version-query:
> >209.203.222.5:53 -> 209.95.32.113:53
> >Feb 2 12:23:17 pcfgw snort[5004]: MISC-DNS-version-query:
> >209.203.222.5:53 -> 209.95.32.116:53
> >Feb 2 12:23:21 pcfgw snort[5004]: MISC-DNS-version-query:
> >209.203.222.5:53 -> 209.95.32.117:53
> >Feb 2 12:23:25 pcfgw snort[5004]: MISC-DNS-version-query:
> >209.203.222.5:53 -> 209.95.32.118:53
> >
> >--- Cut Here ---
> >
> >Of course, I've upgraded my named at work already.
>
> Trooper Jon S. NELSON
> Pennsylvania State Police
> Computer Crimes Unit
> Office: 610-344-4471
> Page: 866-284-1603 (Toll Free)
> Nextel: 610-637-0707 (Private ID 8777)
> Alt. email: jnelson@psp.state.pa.us
>
>
>
> ______________________________________________________________________
> Philadelphia Linux Users Group - http://www.phillylinux.org
> Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
> General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
>
> -------------------------------------------------------
>
> --
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GIT/MU/CS/PA d s:++ a C++ UA$ P+++ L++>++++ E W++ N++ o-- K w--- O- M+ V--
> PS+
> PE Y+ PGP+ t+ 5-- X- R* !tv b++ DI++ D+ G++ e+ h--- r+++ y++++
> -----END GEEK CODE BLOCK-------
> For translation: http://www.kluge.net/ungeek.html
>
> -------------------------------------------------------
>
> --
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GIT/MU/CS/PA d s:++ a C++ UA$ P+++ L++>++++ E W++ N++ o-- K w--- O- M+ V-- PS+
> PE Y+ PGP+ t+ 5-- X- R* !tv b++ DI++ D+ G++ e+ h--- r+++ y++++
> -----END GEEK CODE BLOCK-------
> For translation: http://www.kluge.net/ungeek.html
>
>
> ______________________________________________________________________
> Philadelphia Linux Users Group - http://www.phillylinux.org
> Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
> General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
>
Chad :)
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|