Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

queries for MX of sexnet.com

From: Brian Collins <listbc () newnanutilities org>
Date: Fri, 21 May 2004 00:44:24 -0400
Howdy.  I recently started logging queries on our DNS servers so I could
use a BIND graphing tool.  In my curiosity, I started checking through
the queries recently, looking for anomalies, etc.  One of the things I
noticed was a lot of queries for the MX of sexnet.com.  If I query it
manually,their server responds only with the SOA, but no answer to the
MX query.
 

On one of our servers (internal only, for our cable modem customers with
RFC 1918 addresses), since last night (5/19/04) at 1900, there have been
12,768 queries from 21 unique hosts.  On another server, from last
Thursday until Sunday at 0400 when the logs rotated, there were 156,000
such queries from 5 hosts.  Since Sunday, one of those alone has done
207,000 of these queries. When we get these, a single host will do about
4-8 per second, then do it again within 5-20 seconds. 

I Googled but saw no other reports of such activity.  I'm wondering if
this is some sort of malware, attempts to DoS the mail server for
sexnet.com, etc.  I don't yet have access to any of these client
machines, but may be able to get to one or two of them in a few days.  I
did nmap one of them and got this (IP obscured):

Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Interesting ports
on (a.b.c.d):

(The 1533 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp                     
42/tcp     open        nameserver              
53/tcp     open        domain                  
88/tcp     open        kerberos-sec            
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
389/tcp    open        ldap                    
445/tcp    open        microsoft-ds            
464/tcp    open        kpasswd5                
593/tcp    open        http-rpc-epmap          
636/tcp    open        ldapssl                 
1026/tcp   open        nterm                   
1127/tcp   open        supfiledbg              
1723/tcp   open        pptp                    
3389/tcp   open        msrdp                   
8080/tcp   open        http-proxy              

Remote operating system guess: Windows Millenium Edition v4.90.3000
 
One of the other hosts may have an email worm.  We block our cable modem
users from sending to tcp/25 (except on our mail servers) as a matter of
policy.  This particular host is trying to hit several internet hosts on
tcp/25, and is of course failing.  The owner of that IP has not
complained, so I doubt he even knows it's happening. 
Packet dumps of a few of the queries are available at:

http://misweb.newnanutilities.org/packetdump/sexnet.dump

Thanks,

-- 
Brian Collins <listbc () newnanutilities org>


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040517
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: