On Fri, 6 Dec 2002, Randy Haley wrote:
> 2002-12-06 15:07:30 Filter: RAF (45) block - Warning UDP
> (207.46.150.12:2562) => (63.71.36.1:53) dc0 l=41
Interesting that 207.46.150.12 is contained in a microsoft allocated
network..
Are these log messages all sourced from the same IP or from many different
addresses?
It's possible that someone (perhaps whoever configured 207.46.150.12) has
set their workstation or server to use 63.71.36.1 as a resolving DNS
server....this could be something as simple as a typo that caused it.
If you're seeing these from many different IP addresses, however, you may
want to consider the recent BIND exploits. It may be as simple as a bunch
of scriptkiddies scanning you, looking for a place to play.
If you wanted to see what questions were being asked if you, you could
use a sniffer on your external network (tcpdump, ethereal, etc) to look at
the contents of the queries being made.
...david
---
David Raistrick
Systems Administrator - Global Technology Associates, Inc
[EMAIL PROTECTED]
Disclaimer: All opinions expressed are the opinions of
David Raistrick, not necessarily those of GTA, Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archive of the last 1000 messages:
http://www.mail-archive.com/[email protected]
