Very Computer

I have seen in my log files where port 53 has been probed for the last 2
days EVERY hour. A sample excerpt follows:

Nov 21 07:29:16 xxx kernel: Packet log: input DENY eth0 PROTO=17
208.184.4.142:*446 24.168.xxx.xxx:53 L=73 S=0x00 I=1 F=0x0000 T=42 (#38)

Why is this machine constantly knocking on my door? and what is it likely
looking for?

Thanks for any replys.

Steve Terrell

I get lots of them too.  Most likely whole subnets are scanned by this
perpetrator, not just you.  A while ago I noticed that many of these
attempts came from one particular network, so I complained to the
admin and the attemps from that subnet stopped.

$ whois 208.184.4.142
Abovenet Communications, Inc. (NETBLK-ABOVENET-6)
   50 W. San Fernando St., Suite 1010
   San Jose, CA 95113
   US
   Netname: ABOVENET-6
   Netblock: 208.184.0.0 - 208.185.255.255

include your logs of connection attempts from their network.

Quote:> Why is this machine constantly knocking on my door? ...

it likes you and wants to come in <grin>

Quote:> ... and what is it likely looking for?

A root exploit in an old versions of named (bind).  Once they are
in they'd like to ``borrow'' your system to crack more systems or
to run distributed DOS attacks etc...

--
Manfred

port 53 is DNS. You get the connection using TCP which is intended for zone
transfers (UDP is for normal DNS lookups). Most likely someone miconfigured
their DNS server and it tries to do a zone transfer from your DNS server. I
don't think it's an attack but it is still worth notifying the administrator
of the source machine.

Bob

Quote:> I have seen in my log files where port 53 has been probed for the last 2
> days EVERY hour. A sample excerpt follows:

> Nov 21 07:29:16 xxx kernel: Packet log: input DENY eth0 PROTO=17
> 208.184.4.142:*446 24.168.xxx.xxx:53 L=73 S=0x00 I=1 F=0x0000 T=42 (#38)

> Why is this machine constantly knocking on my door? and what is it likely
> looking for?

> Thanks for any replys.

> Steve Terrell

Nice probe. How long have you been monitoring your logs? IOW, is this a
new? As various version of bind/named have been a known exploit, any
probe for port 53 obviously raises a bunch of red flags. OTOH, probes
for 53 may be of a different source for information. Check out this
report from the GIAC/SANS report.

http://www.sans.org/y2k/042700.htm

Search a little past half-way down for what USA Today was doing.

I'm perplexed by the hour long probe for a DNS as well as Manfred's post
about probes from abovenet. I'm also perplexed by I=1. If I represents
the packet id number, then ID=1 is rather strange.

Always monitor logs

Quote:> IOW, is this a new?

Started on Nov 20

Quote:> As various version of bind/named have been a known exploit, any
> probe for port 53 obviously raises a bunch of red flags. OTOH, probes
> for 53 may be of a different source for information. Check out this
> report from the GIAC/SANS report.

> http://www.sans.org/y2k/042700.htm

> Search a little past half-way down for what USA Today was doing.

> I'm perplexed by the hour long probe for a DNS as well as Manfred's post
> about probes from abovenet. I'm also perplexed by I=1. If I represents
> the packet id number, then ID=1 is rather strange.

Probes are not an hour long, they happen at hour intervals.

Thanks, Steve