[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] approved AXFR

Subject: [cobalt-security] approved AXFR
From: "Achieve Website Design" <info@xxxxxxxxxxxxxx>
Date: Mon, 28 Jan 2002 13:06:22 -0000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hello,
A few weeks ago I sent an email to this group enquiring about "approved
AXFR". I received a couple of replies which basically told me not to worry.
However, I have again received a report from Logcheck, (see below).
Interestingly, I received a similar report for my only other dot ie(Ireland)
domain 2 hours later. Nothing like this for any of my dot com domains. I
sent the Irish Registry an email - please see their reply below. I would be
grateful, if anybody could shed some extra light on this.

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jan 26 19:19:23 ns named[420]: approved AXFR from [202.54.50.211].3720 for
"gregans.ie"
Jan 26 19:19:23 ns named[420]: zone transfer (AXFR) of "gregans.ie" (IN) to
[202.54.50.211].3720

Declan,

Your log messages mean that someone, likely in the Bombay area of
India, has helped himself
to a copy of the zone file for each of these domains.

Many domain administrators block zone transfer except from slave servers and
from servers belonging to recognized statistical projects.  I expect
you can do this
with a simple directive in your name server configuration.  This is
certainly the case
for BIND.

If you are inclined to view this access as abuse, the following
information from the
APNIC whois server will probably be of use.  APNIC administer the allocation
of
IP addresses in the Asia-Pacific region, just as the RIPE-NCC does in
the extended
European region.  You will see that the address mentioned in your
logs belongs to
the range shown below.

[whois.apnic.net]

% Rights restricted by copyright. See
http://www.apnic.net/db/dbcopyright.html
% (whois6.apnic.net)

inetnum:     202.54.50.0 - 202.54.50.255
netname:     VSNL-NAGPUR
descr:       Nagpur Internet Node
country:     IN
admin-c:     NS1-IN
tech-c:      NS1-IN
mnt-by:      VSNL-MAINT
changed:     gpsingh@xxxxxxxxxxxxxxxxxxxx 971219
source:      APNIC

person:      NEERAJ SONKER
address:     VIDESH SANCHAR NIGAM LTD.
address:     VIDESH SANCHAR BHAWAN, M.G.ROAD, FORT, BOMBAY 400 001
phone:       +91 22 2624020 ext 2167
fax-no:      +91 22 2624070
e-mail:      neeraj@xxxxxxxxxxxxxxxxxxxx
nic-hdl:     NS1-IN
notify:      neeraj@xxxxxxxxxxxxxxxxxxxx
changed:     neeraj@xxxxxxxxxxxxxxxxxxxx 951117
source:      APNIC

One recognized statistical project for which I would recommend you
allow zone transfer
is the RIPE hostcount, a monthly count of all the systems on the
Internet in the RIPE area.
For this purpose, ie-collector.hostcount.ripe.net (193.1.193.194)
will need access to your
zone file.

I notice that your two servers for gregans.ie appear to be on the
same IP subnet:

ns2.achieve-it.com.     0S IN A         212.67.197.39
ns.achieve-it.com.      0S IN A         212.67.197.38

This arrangement means that the domain has a single point of failure
in the network
equipment which connects this network.  You may wish to review your
placement of
the DNS servers.

Copying of the zone file has no direct bearing on mail system performance.

At 14:15 +0000 27-01-2002, Achieve Website Design wrote:
>Hello,
>I have a Colocated Raq4 server, located in the UK, from which I host
approx.
>50 sites. Two of these sites, have dot ie extensions, gregans.ie &
>flowersbylucy.ie . My server sends me log reports every hour, and I have
>just noticed the report below. I have nothing to do with the address
>202.54.50.211. I also got this report in a later report, reporting the same
>for flowersbylucy.ie. This happened before, a few weeks ago, but I didn't
>take too much notice as everything else seemed to be O.K.  I have never
>received such a report for any of the dot com/net domains which I have
>hosted on my server.
>
>However, last week, email which I was sending to gregans.ie was "
>dissappearing and as such I am wondering if the report below, could be the
>problem.
>
>Unusual System Events
>=-=-=-=-=-=-=-=-=-=-=
>Jan 26 19:19:23 ns named[420]: approved AXFR from [202.54.50.211].3720 for
>"gregans.ie"
>Jan 26 19:19:23 ns named[420]: zone transfer (AXFR) of "gregans.ie" (IN) to
>[202.54.50.211].3720
>
>Regards,
>Declan Connolly.
>
>Achieve Website Design
>Cartron Road
>Kinvara
>Co. Galway.
>twl. 091 637500

--
Best regards,

Niall O'Reilly PSTN: +353 (0)1 230 0797
Technical Manager, IE Domain Registry Ltd GSM: +353 (0)87 221 0237

The IE Domain Registry wishes you a happy and successful year in 2002.

Follow-Ups:
- Re: [cobalt-security] approved AXFR
  - From: John Bailey
- Re: [cobalt-security] approved AXFR
  - From: Gareth Bromley

Prev by Date: [cobalt-security] perl taint mode
Next by Date: Re: [cobalt-security] approved AXFR
Previous by thread: Re: [cobalt-security] perl taint mode
Next by thread: Re: [cobalt-security] approved AXFR

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index