RE: [gb-users] UDP Port 53 traffic

Fri, 06 Dec 2002 07:41:49 -0800 

My site and all of my Customers' sites have been taking
enormous amounts of hits on port 53 since the last few
rounds of BIND vulnerabilities.

Chalk it up to "way too many kids with too much time
on their hands".  Stupid script kiddies barely know an
IP Address from a NETBIOS name, but they can find the
blackhat site that gives them step-by-step instructions
on port scanning, and then they think they're really
l337 h4x0r5 ("elite hackers" for those who have more
than half a brain, and thus don't speak 'leetspeak).

Mike Burden
Lynk Systems
http://www.lynk.com
(616)532-4985
[EMAIL PROTECTED]


> -----Original Message-----
> From: david raistrick [mailto:[EMAIL PROTECTED]]
> Sent: Friday, December 06, 2002 10:28 AM
> To: Randy Haley
> Cc: [EMAIL PROTECTED]
> Subject: Re: [gb-users] UDP Port 53 traffic
>
>
> On Fri, 6 Dec 2002, Randy Haley wrote:
>
> > 2002-12-06 15:07:30 Filter: RAF (45) block - Warning UDP
> > (207.46.150.12:2562) => (63.71.36.1:53) dc0 l=41
>
>
> Interesting that 207.46.150.12 is contained in a microsoft allocated
> network..
>
> Are these log messages all sourced from the same IP or from
> many different
> addresses?
>
> It's possible that someone (perhaps whoever configured
> 207.46.150.12) has
> set their workstation or server to use 63.71.36.1 as a resolving DNS
> server....this could be something as simple as a typo that caused it.
>
>
> If you're seeing these from many different IP addresses,
> however, you may
> want to consider the recent BIND exploits.  It may be as
> simple as a bunch
> of scriptkiddies scanning you, looking for a place to play.
>
>
> If you wanted to see what questions were being asked if you, you could
> use a sniffer on your external network (tcpdump, ethereal,
> etc) to look at
> the contents of the queries being made.
>
> ...david
> ---
> David Raistrick
>       Systems Administrator - Global Technology Associates, Inc
>  [EMAIL PROTECTED]
>         Disclaimer:  All opinions expressed are the opinions of
>         David Raistrick, not necessarily those of GTA, Inc.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> To subscribe to the digest version first unsubscribe, then
>  e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> Archive of the last 1000 messages:
>  http://www.mail-archive.com/[email protected]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
 e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archive of the last 1000 messages:
 http://www.mail-archive.com/[email protected]

Reply via email to