new Bind exploit?
bscott at ntisys.com
bscott at ntisys.com
Wed Oct 1 13:07:24 EDT 2003
On Wed, 1 Oct 2003, at 10:12am, jeff.macdonald at virtualbuilder.com wrote:
> Ok, so these are not queries directed to my server because my server was
> listed as a name server for those domains but these are queries generated
> by some process on my system asking for domains that are lame.
Correct.
> This must be sendmail looking up DNS records when receiving mail (the
> machine is my web/mail server).
Entirely likely.
> Is any one else seeing entries like these?
*snort* Just a few...
# grep -c lame /var/log/messages*
/var/log/messages:14239
/var/log/messages.1:14740
/var/log/messages.2:1687
/var/log/messages.3:2812
/var/log/messages.4:3740
Those logs are rotated weekly. As you can see, there were quite a few, even
a few weeks ago. But, we do see a marked increase in the past two weeks.
I wonder if this has anything to do with the Verisign wildcard fiasco.
> I have several hundred more today (all with 0.0 for the 2nd and 3rd
> octects).
What about the first octet? (Which is the top-most (right-most) octet for
reverse DNS lookups.) Any pattern there? That's what matters for DNS
delegation.
--
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind. |
More information about the gnhlug-discuss
mailing list