[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] dns on a RaQ4r

Subject: Re: [cobalt-security] dns on a RaQ4r
From: David Lucas <david@xxxxxxxxxxxxxxxx>
Date: Sat, 26 Apr 2003 01:02:05 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Thank you

At 04:38 PM 4/25/2003, you wrote:

DL> Date: Fri, 25 Apr 2003 12:46:01 -0500
DL> From: David Lucas

[ Yes, I'm crossposting... keep that in mind if responding... ]


DL> Can anyone explain the following in my log?
DL>
DL> Apr 17 20:05:02 www sendmail[17236]: h3I151W17236: 6696216150.hostnoc.net
DL> [66.96.216.150] (may be forged): HELO/EHLO attack?

Hmmmm.  New one for me.  I'd need to dig through sendmail source;
not finding much via Google.


DL> Apr 17 15:04:37 www named[480]: bad referral (158.24.in-addr.arpa !<
DL> 235.158.24.in-addr.arpa) from [24.196.17.8].53

24.196.17.8 sent a DNS referral packet that your system wasn't
expecting.  Smells like an attempt to poison your DNS server, but
could be misconfig.


DL> Apr 17 21:34:20 www named[480]: Request IXFR from [64.81.117.120].1029
DL> Apr 17 21:34:20 www named[480]: approved IXFR/AXFR from
DL> [64.81.117.120].1029 for "doublebassshop.com"

Zone transfer.  If 64.81.117.120 is one of your systems, that's
normal.  If not, consider disabling AXFR/IXFR access from systems
that don't need it.


DL> Apr 17 18:12:51 www named[480]: Lame server on '66.218.94.64.in-addr.arpa'
DL> (in '218.94.64.in-addr.arpa'?): [216.52.97.33].53 'ns2.ocy.pnap.net'

DL> Apr 17 16:09:07 www named[480]: Lame server on'45.16.245.213.in-addr.arpa'

DL> (in '16.245.213.in-addr.arpa'?): [193.0.0.193].53 'ns.ripe.net'
DL> Apr 17 12:46:13 www named[480]: Lame server on '70.247.65.67.in-addr.arpa'
DL> (in '247.65.67.in-addr.arpa'?): [151.164.1.1].53 'ns1.swbell.net'

Some DNS servers should be authoritative for certain zones, but
aren't.  Misconfiguration.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

References:
- [cobalt-security] dns on a RaQ4r
  - From: David Lucas

Prev by Date: Re: [cobalt-security] dns on a RaQ4r
Next by Date: Re: [cobalt-security] Glibc Security Update 2.0.1
Previous by thread: Re: [cobalt-security] dns on a RaQ4r
Next by thread: [cobalt-security] RaQ550: Excluding TLDs from using FTP in hosts.alllow

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index