True that...but this is most likely the script that was causing the badness he was seeing: http://www.opennet.ru/dev/fsbackup/src/1.2pl1_to_1.2pl2.diff It was written by the same guy that owns the IP address space that he was seeing the . requests coming from. It should still be blacklisted.
On Wed, Jul 30, 2008 at 12:46 PM, Graeme Fowler <[EMAIL PROTECTED]> wrote: > On Wed, 2008-07-30 at 13:08 -0400, Jeff Lightner wrote: > > Someone had apparently posted on a Fedora forum that seeing the high > > level of query cache denied was a sign of people trying the exploit but > > someone else here said it wasn't a symptom of the exploit. > > That's not *quite* correct (well, not even correct actually, but that > sounds churlish). > > I said that the addresses listed in the post on the fedora-users list > were actually directly related to research work being done by Dan > Kaminsky and/or some people at a .edu connected to him. > > The OP of the message fired off in a panic, IMO, without doing any > homework whatsoever. > > > However, on returning to my office I too saw a dramatic increase in the > > number of these. If they aren't for the exploit does someone know why > > they increased? > > If you've seen a dramatic increase in log entries, have you done any > work at all to see where they're coming from? Pound to a penny, if you > find they're from an educational institution you'll be able to fire off > an email to someone there (look in WHOIS for the contact details for > starters) and they'll tell you. If they're from Nigeria, Chinese ISPs, > Russia, or a bunch of colo/hosting places in the US or Europe (or other > common malware sources, yours will differ from mine) then they're > probably scans from less friendly types. > > There's an interesting message on the OARCI dnsops list here: > > http://lists.oarci.net/pipermail/dns-operations/2008-July/003110.html > > [note: the sender of that message is the originator of query-cache scans > from Georgia Tech IP IPv4 space] > > I guess the important message here is: do some homework first. They may > or may not be malicious, but having an indication either way is good > before you run into the woods with your shotgun. > > Graeme > > >
