Security Incidents mailing list archives
Re: DNS update queries: another sort of suspicious activity.
From: sparty () UPSIDE NET (Kevin (Sparty) Broderick)
Date: Mon, 31 Jan 2000 17:37:34 -0500
On Fri, 28 Jan 2000, Fyodor wrote:
On Fri, 28 Jan 2000, Patrick Oonk wrote: ~ Fydor, ~ ~ this seems to be a 'feature' of Windows 2000. ~ If you had portscanned the offending box you might ~ have seen it was a Win2k box. ~ Wow.. then it must be full of surprises. :) Notice that 192.168.0.4 is a non-routable IP address, so it could be someone's sick firewall which allowed the iternal network to send sick UDP datagrams out.
It's worth noting that Win2k offers Internet connection sharing and uses
192.168.0.4 for that connection sharing. With Win2k Professional, it
appears that one *must* set all clients to use DHCP and then the Win2k box
will run a DHCP server and give them all 192.168.0.* addresses and
reassign its own NIC to 192.168.0.1 (even if it already had another
non-routable address). I wouldn't be suprised if there was some
connection here.
--
--Sparty
web: http://upside.net/~sparty/
Current thread:
- Re: DNS update queries: another sort of suspicious activity. Flynn, Harold M. III (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. H D Moore (Feb 10)
- <Possible follow-ups>
- Re: DNS update queries: another sort of suspicious activity. Rob Quinn (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. Kevin (Sparty) Broderick (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. Bill Royds (Feb 01)
- Re: DNS update queries: another sort of suspicious activity. Data_surge (Feb 03)
