Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Microsoft version.binding us now?

Re: Microsoft version.binding us now?

From: Klaus Steding-Jessen <jessen_at_NIC.BR>
Date: Tue, 30 May 2000 12:18:14 -0300

on Friday, 26 May 2000 19:11:36, Bill Marquette wrote:
| I've seen the following scan on some servers I admin for the last few days
| from not only 207.46.106.84 but also a couple other systems in that /24
| address space. So far I've seen the version.bind hits about 50 times. The
| really wierd thing is:
|
| we have two connections to the 'net
| our dns servers are split across the connections
| it's not a browser on the internal side triggering it as they're round
| robined via squid out the two connections
| ALL the attempts are to the same server.
|
| May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.126 security:
| notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND"
| May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.127 security:
| notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND"
| May 25 13:31:58 myhost named[1319]: 25-May-2000 13:31:58.128 security:
| notice: unapproved query from [207.46.106.84].42900 for "VERSION.BIND"
| May 25 13:54:07 myhost named[1319]: 25-May-2000 13:54:07.132 security:
| notice: unapproved query from [207.46.106.84].2623 for "VERSION.BIND"

Same thing here, from 207.46.106.75, 207.46.106.77 and 207.46.106.84:

May 25 16:16:27 foo named[39069]: unapproved query from [207.46.106.75].45294 for "VERSION.BIND"
May 25 16:43:40 foo named[39069]: unapproved query from [207.46.106.77].50702 for "VERSION.BIND"
May 25 17:37:08 foo named[39069]: unapproved query from [207.46.106.84].49823 for "VERSION.BIND"
May 25 17:38:30 foo named[39069]: unapproved query from [207.46.106.84].51197 for "VERSION.BIND"
May 25 17:41:30 foo named[39069]: unapproved query from [207.46.106.84].54255 for "VERSION.BIND"
May 25 18:29:57 foo named[39069]: unapproved query from [207.46.106.84].44706 for "VERSION.BIND"

The reply from infosec_at_microsoft.com:

>From: ITG Information Security Center <infosec_at_microsoft.com>
>Sender: Greg Galford <ggalford_at_microsoft.com>
>Subject: FW: SECURITY: Hacking activity from your domain
>Date: Fri, 26 May 2000 07:31:42 -0700
>X-Mailer: Internet Mail Service (5.5.2651.58)
>
>
>Hi, these packets you are seeing are not probes, but are coming from
>an F5 networks product, 3dns (see:
>http://www.f5.com/3dns/index.html).

[snip]

Hard to believe that 3dns is using version.bind probes to collect RTT
information. Can anyone confirm this?

Klaus.
Received on Jun 01 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos