[Current] New DNS Exploit?

Jon R. Kibler Jon.Kibler at aset.com
Sat Jun 12 18:05:06 UTC 2004


Greetings all,

Is there some new DNS exploit I haven't heard about? 

Starting Tuesday afternoon, we started getting scanned on UPD/53 by multiple hosts from around the world. The scan was against the IP of an outbound mail server that is not running any DNS. The scans seem to repeat every day in a very similar pattern.

Other useful info:
  1) None of our other ~80 IPs are being scanned in a similar manner.
  2) Checking back 2 months, no similar scans were found in our logs.
  3) None of our name servers are logging any miscreant activities that originate from any of the IPs scanning our outbound mail server.
  4) We are not seeing scans on other ports or IPs originating from the IPs that are scanning UDP/53 -- except that about 1/2 the time, the failed UDP/53 is followed by a single ICMP/8/0 (echo request).
  5) We have made no DNS or registrar changes that may result in someone thinking a legit name server was at that IP address and a search of the GRS shows no name servers claiming to have that IP address.

Logs showing these scans follow the signature paragraph.

Anyone have any ideas on this one?

I think I am going to set up a netcat listener on that system and see what I capture...

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214


> Jun  8 16:03:49 border8215 list 110 denied udp 128.242.107.15(55555) -> x.x.x.66(53), 1 packet
> Jun  8 16:17:25 border8215 list 110 denied udp 65.169.170.131(1471) -> x.x.x.66(53), 1 packet
> Jun  8 16:17:51 border8215 list 110 denied udp 64.0.96.12(18857) -> x.x.x.66(53), 1 packet
> Jun  8 16:18:00 border8215 list 110 denied udp 208.185.54.14(39901) -> x.x.x.66(53), 1 packet
> Jun  8 16:18:07 border8215 list 110 denied udp 208.185.219.166(10352) -> x.x.x.66(53), 1 packet
> Jun  8 16:18:10 border8215 list 110 denied udp 212.187.170.2(24870) -> x.x.x.66(53), 1 packet
> Jun  8 16:18:17 border8215 list 110 denied udp 208.254.75.130(31707) -> x.x.x.66(53), 1 packet
> Jun  8 16:19:25 border8215 list 110 denied udp 212.0.126.130(14607) -> x.x.x.66(53), 1 packet
> Jun  8 16:19:38 border8215 list 110 denied udp 80.15.238.66(18974) -> x.x.x.66(53), 1 packet
> Jun  8 16:20:02 border8215 list 110 denied udp 80.15.238.99(19449) -> x.x.x.66(53), 1 packet
> Jun  8 16:20:07 border8215 list 110 denied udp 64.41.192.103(6353) -> x.x.x.66(53), 1 packet
> Jun  8 16:20:25 border8215 list 110 denied udp 202.160.241.130(7807) -> x.x.x.66(53), 1 packet
> Jun  9 13:07:21 border8215 list 110 denied udp 65.169.170.131(30278) -> x.x.x.66(53), 1 packet
> Jun  9 13:08:14 border8215 list 110 denied udp 65.169.170.131(30278) -> x.x.x.66(53), 1 packet
> Jun  9 13:08:28 border8215 list 110 denied udp 208.254.18.130(39216) -> x.x.x.66(53), 1 packet
> Jun  9 13:08:35 border8215 list 110 denied udp 206.65.191.194(14655) -> x.x.x.66(53), 1 packet
> Jun  9 13:09:23 border8215 list 110 denied udp 64.14.117.10(11995) -> x.x.x.66(53), 1 packet
> Jun  9 13:09:31 border8215 list 110 denied udp 208.185.219.166(46591) -> x.x.x.66(53), 1 packet
> Jun  9 13:09:34 border8215 list 110 denied udp 202.160.241.130(38978) -> x.x.x.66(53), 1 packet
> Jun  9 13:09:44 border8215 list 110 denied udp 212.162.1.194(20933) -> x.x.x.66(53), 1 packet
> Jun  9 13:10:01 border8215 list 110 denied udp 212.187.170.2(53849) -> x.x.x.66(53), 1 packet
> Jun  9 15:44:41 border8215 list 110 denied udp 202.160.241.130(41535) -> x.x.x.66(53), 1 packet
> Jun  9 15:46:14 border8215 list 110 denied udp 216.73.82.10(16845) -> x.x.x.66(53), 1 packet
> Jun  9 15:46:17 border8215 list 110 denied udp 216.73.84.31(23696) -> x.x.x.66(53), 1 packet
> Jun  9 15:46:23 border8215 list 110 denied udp 216.73.83.10(61452) -> x.x.x.66(53), 1 packet
> Jun  9 15:46:25 border8215 list 110 denied udp 208.185.219.166(50661) -> x.x.x.66(53), 1 packet
> Jun  9 15:46:54 border8215 list 110 denied udp 64.14.117.10(15485) -> x.x.x.66(53), 1 packet
> Jun  9 15:47:03 border8215 list 110 denied udp 63.210.193.2(56097) -> x.x.x.66(53), 1 packet
> Jun  9 15:47:16 border8215 list 110 denied udp 65.169.170.131(33820) -> x.x.x.66(53), 1 packet
> Jun  9 15:47:23 border8215 list 110 denied udp 208.185.54.14(41607) -> x.x.x.66(53), 1 packet
> Jun  9 15:48:04 border8215 list 110 denied udp 212.162.1.194(23903) -> x.x.x.66(53), 1 packet
> Jun  9 15:48:33 border8215 list 110 denied udp 212.187.170.2(61715) -> x.x.x.66(53), 1 packet
> Jun  9 15:48:37 border8215 list 110 denied udp 64.15.251.198(17883) -> x.x.x.66(53), 1 packet
> Jun  9 15:48:41 border8215 list 110 denied udp 202.160.241.130(41535) -> x.x.x.66(53), 1 packet
> Jun 10 09:58:42 border8215 list 110 denied udp 216.73.84.31(27638) -> x.x.x.66(53), 1 packet
> Jun 10 09:58:43 border8215 list 110 denied udp 64.28.86.226(43463) -> x.x.x.66(53), 1 packet
> Jun 10 09:58:51 border8215 list 110 denied udp 216.73.84.31(27638) -> x.x.x.66(53), 1 packet
> Jun 10 09:58:53 border8215 list 110 denied udp 64.14.117.10(40542) -> x.x.x.66(53), 1 packet
> Jun 10 13:08:52 border8215 list 110 denied udp 202.222.25.4(53323) -> x.x.x.66(53), 1 packet
> Jun 10 13:09:11 border8215 list 110 denied udp 208.185.219.166(22559) -> x.x.x.66(53), 1 packet
> Jun 10 13:09:36 border8215 list 110 denied udp 198.5.148.6(1671) -> x.x.x.66(53), 1 packet
> Jun 10 13:09:50 border8215 list 110 denied udp 208.184.139.82(51743) -> x.x.x.66(53), 1 packet
> Jun 10 13:10:01 border8215 list 110 denied udp 208.185.54.14(36411) -> x.x.x.66(53), 1 packet
> Jun 10 13:10:05 border8215 list 110 denied udp 64.0.96.12(34882) -> x.x.x.66(53), 1 packet
> Jun 10 13:10:07 border8215 list 110 denied udp 64.124.186.66(37137) -> x.x.x.66(53), 1 packet
> Jun 10 13:10:11 border8215 list 110 denied udp 64.41.192.103(15549) -> x.x.x.66(53), 1 packet
> Jun 10 13:10:23 border8215 list 110 denied udp 212.187.170.2(25736) -> x.x.x.66(53), 1 packet
> Jun 10 13:10:30 border8215 list 110 denied udp 65.216.78.66(54250) -> x.x.x.66(53), 1 packet
> Jun 10 13:42:43 border8215 list 110 denied udp 205.158.108.194(23079) -> x.x.x.66(53), 1 packet
> Jun 10 13:42:53 border8215 list 110 denied udp 65.169.170.131(5925) -> x.x.x.66(53), 1 packet
> Jun 10 13:42:55 border8215 list 110 denied udp 66.236.129.66(3881) -> x.x.x.66(53), 1 packet
> Jun 10 13:43:32 border8215 list 110 denied udp 198.5.148.6(1671) -> x.x.x.66(53), 1 packet
> Jun 10 13:44:03 border8215 list 110 denied udp 64.0.96.12(34882) -> x.x.x.66(53), 1 packet
> Jun 10 13:44:20 border8215 list 110 denied udp 208.185.54.14(36411) -> x.x.x.66(53), 1 packet
> Jun 10 13:45:01 border8215 list 110 denied udp 64.41.192.103(15549) -> x.x.x.66(53), 1 packet
> Jun 10 13:45:11 border8215 list 110 denied udp 209.120.155.226(53089) -> x.x.x.66(53), 1 packet
> Jun 10 13:45:16 border8215 list 110 denied udp 216.73.87.200(53589) -> x.x.x.66(53), 1 packet
> Jun 10 13:45:43 border8215 list 110 denied udp 210.224.186.4(17990) -> x.x.x.66(53), 1 packet
> Jun 10 13:46:35 border8215 list 110 denied udp 212.187.170.2(25736) -> x.x.x.66(53), 1 packet
> Jun 10 13:46:37 border8215 list 110 denied udp 202.160.241.130(8969) -> x.x.x.66(53), 1 packet
> Jun 10 13:46:49 border8215 list 110 denied udp 64.14.117.10(54548) -> x.x.x.66(53), 1 packet
> Jun 10 19:00:42 border8215 list 110 denied udp 216.73.87.200(56568) -> x.x.x.66(53), 1 packet
> Jun 10 19:02:03 border8215 list 110 denied udp 216.73.87.200(56568) -> x.x.x.66(53), 1 packet
> Jun 10 19:02:45 border8215 list 110 denied udp 64.0.96.12(46155) -> x.x.x.66(53), 1 packet
> Jun 10 19:03:36 border8215 list 110 denied udp 65.216.78.66(60551) -> x.x.x.66(53), 1 packet
> Jun 10 19:04:36 border8215 list 110 denied udp 209.120.155.226(53985) -> x.x.x.66(53), 1 packet
> Jun 10 19:04:41 border8215 list 110 denied udp 64.41.192.103(26575) -> x.x.x.66(53), 1 packet
> Jun 10 19:04:45 border8215 list 110 denied udp 65.59.207.50(23375) -> x.x.x.66(53), 1 packet
> Jun 10 19:05:01 border8215 list 110 denied udp 64.14.117.10(1627) -> x.x.x.66(53), 1 packet
> Jun 10 19:05:32 border8215 list 110 denied udp 208.185.219.166(33016) -> x.x.x.66(53), 1 packet
> Jun 10 19:05:40 border8215 list 110 denied udp 208.185.54.14(52597) -> x.x.x.66(53), 1 packet
> Jun 10 19:05:42 border8215 list 110 denied udp 65.169.170.131(14164) -> x.x.x.66(53), 1 packet
> Jun 10 19:05:49 border8215 list 110 denied udp 205.158.108.194(26091) -> x.x.x.66(53), 1 packet
> Jun 10 19:46:28 border8215 list 110 denied udp 64.0.96.12(46155) -> x.x.x.66(53), 1 packet
> Jun 10 19:46:29 border8215 list 110 denied udp 202.160.241.130(18365) -> x.x.x.66(53), 1 packet
> Jun 10 19:47:19 border8215 list 110 denied udp 64.0.96.12(46155) -> x.x.x.66(53), 1 packet
> Jun 10 19:47:38 border8215 list 110 denied udp 213.61.6.2(40915) -> x.x.x.66(53), 1 packet
> Jun 10 19:47:59 border8215 list 110 denied udp 212.0.126.130(62996) -> x.x.x.66(53), 1 packet
> Jun 10 19:48:08 border8215 list 110 denied udp 4.78.20.2(16087) -> x.x.x.66(53), 1 packet
> Jun 10 19:49:09 border8215 list 110 denied udp 80.15.238.66(27253) -> x.x.x.66(53), 1 packet
> Jun 10 19:50:01 border8215 list 110 denied udp 208.185.54.14(52597) -> x.x.x.66(53), 1 packet
> Jun 10 19:50:22 border8215 list 110 denied udp 65.169.170.131(14164) -> x.x.x.66(53), 1 packet
> Jun 10 19:50:25 border8215 list 110 denied udp 208.185.219.166(33016) -> x.x.x.66(53), 1 packet
> Jun 10 19:50:29 border8215 list 110 denied udp 212.187.170.2(50586) -> x.x.x.66(53), 1 packet
> Jun 10 19:50:36 border8215 list 110 denied udp 65.216.78.66(60551) -> x.x.x.66(53), 1 packet
> Jun 10 19:51:15 border8215 list 110 denied udp 64.14.117.10(1627) -> x.x.x.66(53), 1 packet
> Jun 10 19:51:18 border8215 list 110 denied udp 64.41.192.103(26575) -> x.x.x.66(53), 1 packet
> Jun 10 19:51:21 border8215 list 110 denied udp 80.15.238.99(27421) -> x.x.x.66(53), 1 packet
> Jun 10 19:51:22 border8215 list 110 denied udp 210.224.186.4(19957) -> x.x.x.66(53), 1 packet
> Jun 10 19:51:29 border8215 list 110 denied udp 202.160.241.130(18365) -> x.x.x.66(53), 1 packet
> Jun 11 04:32:14 border8215 list 110 denied udp 64.0.96.12(57994) -> x.x.x.66(53), 1 packet
> Jun 11 04:32:33 border8215 list 110 denied udp 65.169.170.131(25577) -> x.x.x.66(53), 1 packet
> Jun 11 04:32:36 border8215 list 110 denied udp 208.185.219.166(42704) -> x.x.x.66(53), 1 packet
> Jun 11 04:32:40 border8215 list 110 denied udp 212.187.170.2(12932) -> x.x.x.66(53), 1 packet
> Jun 11 04:32:55 border8215 list 110 denied udp 210.224.186.4(22322) -> x.x.x.66(53), 1 packet
> Jun 11 04:32:59 border8215 list 110 denied udp 64.41.192.103(38313) -> x.x.x.66(53), 1 packet
> Jun 11 04:33:15 border8215 list 110 denied udp 64.14.117.10(13632) -> x.x.x.66(53), 1 packet
> Jun 11 04:33:40 border8215 list 110 denied udp 202.160.241.130(27345) -> x.x.x.66(53), 1 packet
> Jun 11 09:19:39 border8215 list 110 denied udp 65.169.170.131(36172) -> x.x.x.66(53), 1 packet
> Jun 11 09:19:42 border8215 list 110 denied udp 208.254.18.130(46116) -> x.x.x.66(53), 1 packet
> Jun 11 09:20:01 border8215 list 110 denied udp 208.185.54.14(22715) -> x.x.x.66(53), 1 packet
> Jun 11 09:20:36 border8215 list 110 denied udp 202.160.241.130(36501) -> x.x.x.66(53), 1 packet
> Jun 11 09:20:56 border8215 list 110 denied udp 206.65.191.194(20929) -> x.x.x.66(53), 1 packet
> Jun 11 09:21:18 border8215 list 110 denied udp 63.166.13.66(11341) -> x.x.x.66(53), 1 packet
> Jun 11 09:21:22 border8215 list 110 denied udp 208.185.219.166(49806) -> x.x.x.66(53), 1 packet
> Jun 11 09:21:30 border8215 list 110 denied udp 212.187.170.2(39759) -> x.x.x.66(53), 1 packet
> Jun 11 09:21:49 border8215 list 110 denied udp 212.162.1.194(30971) -> x.x.x.66(53), 1 packet
> Jun 11 09:21:53 border8215 list 110 denied udp 64.14.117.10(25467) -> x.x.x.66(53), 1 packet
> Jun 11 12:33:46 border8215 list 110 denied udp 202.160.241.130(36501) -> x.x.x.66(53), 1 packet
> Jun 11 12:34:12 border8215 list 110 denied udp 208.185.219.166(49806) -> x.x.x.66(53), 1 packet
> Jun 11 12:34:18 border8215 list 110 denied udp 65.169.170.131(36172) -> x.x.x.66(53), 1 packet
> Jun 11 12:34:48 border8215 list 110 denied udp 64.41.192.103(50568) -> x.x.x.66(53), 1 packet
> Jun 11 12:35:01 border8215 list 110 denied udp 208.185.54.14(22715) -> x.x.x.66(53), 1 packet
> Jun 11 12:36:08 border8215 list 110 denied udp 210.224.186.4(24396) -> x.x.x.66(53), 1 packet
> Jun 11 12:36:16 border8215 list 110 denied udp 212.187.170.2(39759) -> x.x.x.66(53), 1 packet
> Jun 12 05:57:44 border8215 list 110 denied udp 65.169.170.131(2764) -> x.x.x.66(53), 1 packet
> Jun 12 05:59:39 border8215 list 110 denied udp 208.185.54.14(18911) -> x.x.x.66(53), 1 packet
> Jun 12 06:00:01 border8215 list 110 denied udp 64.14.117.10(62550) -> x.x.x.66(53), 1 packet
> Jun 12 06:00:17 border8215 list 110 denied udp 64.41.192.103(21552) -> x.x.x.66(53), 1 packet
> Jun 12 06:01:10 border8215 list 110 denied udp 208.185.219.166(18043) -> x.x.x.66(53), 1 packet
> Jun 12 06:01:13 border8215 list 110 denied udp 212.187.170.2(58931) -> x.x.x.66(53), 1 packet
> Jun 12 06:01:51 border8215 list 110 denied udp 202.160.241.130(60279) -> x.x.x.66(53), 1 packet
> Jun 12 11:46:59 border8215 list 110 denied udp 208.185.54.14(36729) -> x.x.x.66(53), 1 packet
> Jun 12 11:48:50 border8215 list 110 denied udp 208.185.54.14(36729) -> x.x.x.66(53), 1 packet
> Jun 12 11:49:10 border8215 list 110 denied udp 213.61.6.2(18919) -> x.x.x.66(53), 1 packet
> Jun 12 11:49:20 border8215 list 110 denied udp 213.61.6.2(18919) -> x.x.x.66(53), 1 packet
> Jun 12 11:49:45 border8215 list 110 denied udp 202.160.241.130(6174) -> x.x.x.66(53), 1 packet
> Jun 12 11:50:05 border8215 list 110 denied udp 209.120.155.226(61268) -> x.x.x.66(53), 1 packet
> Jun 12 11:50:06 border8215 list 110 denied udp 203.129.66.194(15329) -> x.x.x.66(53), 1 packet
> Jun 12 11:51:40 border8215 list 110 denied udp 209.120.155.226(61268) -> x.x.x.66(53), 1 packet
> Jun 12 11:51:44 border8215 list 110 denied udp 216.200.68.2(52025) -> x.x.x.66(53), 1 packet
> Jun 12 11:52:02 border8215 list 110 denied udp 209.120.213.226(64142) -> x.x.x.66(53), 1 packet
> Jun 12 11:52:04 border8215 list 110 denied udp 212.162.1.194(5505) -> x.x.x.66(53), 1 packet
> Jun 12 11:52:19 border8215 list 110 denied udp 203.129.66.194(15329) -> x.x.x.66(53), 1 packet
> Jun 12 11:54:09 border8215 list 110 denied udp 65.169.170.131(13716) -> x.x.x.66(53), 1 packet
> Jun 12 11:55:36 border8215 list 110 denied udp 65.169.170.131(13716) -> x.x.x.66(53), 1 packet
> Jun 12 11:55:39 border8215 list 110 denied udp 208.185.219.166(32283) -> x.x.x.66(53), 1 packet
> Jun 12 11:55:41 border8215 list 110 denied udp 208.185.54.14(36729) -> x.x.x.66(53), 1 packet
> Jun 12 11:56:06 border8215 list 110 denied udp 208.254.18.130(50445) -> x.x.x.66(53), 1 packet
> Jun 12 11:56:13 border8215 list 110 denied udp 63.166.13.66(22775) -> x.x.x.66(53), 1 packet
> Jun 12 11:56:26 border8215 list 110 denied udp 202.160.241.130(6174) -> x.x.x.66(53), 1 packet
> Jun 12 11:56:58 border8215 list 110 denied udp 212.187.170.2(17642) -> x.x.x.66(53), 1 packet
> Jun 12 11:56:59 border8215 list 110 denied udp 206.65.191.194(24770) -> x.x.x.66(53), 1 packet
> Jun 12 11:57:11 border8215 list 110 denied udp 64.14.117.10(7838) -> x.x.x.66(53), 1 packet
> Jun 12 11:57:43 border8215 list 110 denied udp 212.162.1.194(5505) -> x.x.x.66(53), 1 packet

Note: Times are US/Eastern (GMT-0400)




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the Current mailing list