[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Raq4 bind/named/MX
- Subject: [cobalt-security] Raq4 bind/named/MX
- From: "Dave~" <cobaltraq4@xxxxxxx>
- Date: Tue, 22 Apr 2003 00:02:24 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hey Everyone,
Been getting some weird log entries starting Friday night:
Security Violations
=-=-=-=-=-=-=-=-=-=
named[353]: refused query on non-query socket from [207.14.100.134].53
named[353]: refused query on non-query socket from [207.14.100.134].53
named[353]: Malformed response from [152.52.35.254].53 (dn_expand failed in
authority)
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
named[353]: Malformed response from [63.251.83.36].53 (query section mismatch
(capescott.net IN MX))
named[353]: Malformed response from [212.118.244.163].53 (query section
mismatch (capescott.net IN MX))
named[353]: Malformed response from [66.150.5.63].53 (query section mismatch
(capescott.net IN MX))
named[353]: Malformed response from [66.150.5.103].53 (query section mismatch
(capescott.net IN MX))
named[353]: Malformed response from [80.67.179.102].53 (query section mismatch
(phase4.net IN MX))
named[353]: Malformed response from [80.67.180.41].53 (query section mismatch
(phase4.net IN MX))
Couldn't find the answer in the archives, didn't really find an answer in
Google. capescott.net IN MX and phase4.net IN MX are just the few I've pasted
but there are more- as well as more/different IP addys. Some of the answers
I've seen mentioned vulnerable BIND versions- I have the latest from
solarspeed. Just starting to get worried as some other possible answers have
mentioned port scanning OR WORSE. Some of them come 10 in a row with the same
time stamp like 23:30:29 (to the same second) then nothing for a while. Any
ideas or other place to look/learn???
TIA,
Dave~