RE: reading signatures?

[Alex.Senkevitch () midata com (Alex.Senkevitch () midata com)]

I would say that it is either:
        a) a broadcast scan of for DNS servers/servers answering on that
port
        b) a scan using a loki client to search for compromised loki hosts
        c) a scan looking for compromised/compromisable BIND 4.9/8.1 DNS
servers to gain root access

Alex S.

matthew.fearnow () mcp com wrote:-----------------------

No, atleast I dont think so.  This was sustained activity for about 1
hour,
(or until I pulled the plug on the machine.)  I really think it was
someone
port scanning for dns servers.  But what I dont get is the : 1205+ (45) at
the end of it.  And it was fast, so it is obviously a script.  Here is a
better example:

14:18:36.148999 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:36.188602 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:36.756601 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:36.803255 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:37.671712 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:37.783548 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:38.276469 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:38.346480 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:38.747676 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:38.908229 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:39.585781 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:40.107080 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:40.397962 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:40.612117 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:40.659457 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:41.732946 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:41.952114 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:42.292261 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:42.369584 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:42.772469 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
14:18:42.772562 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:42.892015 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:42.944009 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
14:18:42.993064 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)

14:41:55.202938 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:55.371552 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:55.652843 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:56.025792 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:56.481790 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:56.539961 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:56.598891 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:56.645087 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:56.680081 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:56.761283 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:56.795913 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)
14:41:57.094019 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:57.175700 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:57.661521 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:57.695545 x.x.x.x.9999 > x.x.x.0.53: 1194+ (45)
14:41:58.022902 x.x.x.x.9999 > x.x.x.255.53: 1194+ (45)

Thanks

-----Original Message-----
From: Trevor Schroeder [mailto:tschroed () acm org]
Sent: Friday, October 22, 1999 3:48 PM
To: matthew.fearnow () mcp com
Cc: ids () uow edu au
Subject: Re: IDS: reading signatures?

On Fri, 22 Oct 1999 matthew.fearnow () mcp com wrote:

> Can anyone give me some insight into what this means?
>
> 14:17:51.220753 myhost.here.com.9999 > othersite.there.com.53: 1205+
(45)
> 14:17:51.718414 myhost.here.com.9999 > othersite.there.com.53: 1205+
(45)
> 14:42:49.550408 myhost.here.com.9999 > anothersite.there.com.53: 1194+
(45)

That would be myhost.here.com doing DNS lookups, most likely (assuming you
don't have reason to suspect otherwise).

domain          53/tcp          nameserver      # name-domain server
domain          53/udp          nameserver
..........................................................................
: "I knew it was going to cost me my head and also my swivel chair, but  :
: I thought: What the hell--better men than I have risked their heads    :
: and their swivel chairs for truth and justice." -- James P. Cannon     :
:........... http://www.zweknu.org/ for PGP key and more ................: