[Dshield] Any ideas?

Bob's Lists bob.lists at raha.com
Sun Oct 14 22:10:55 GMT 2001


Spam?

It is becoming a common tactic for the spammers to install 127.0.0.1 as their RDNS entries.

BZAM and BZAH are two notable spamhauses which do this. It causes all the bounces and returns to fail, and causes your DNS server to puke out lots of 'lame delegation' errors. Could be, that your firewall was getting hit by these and trying to look up itself for DNS queries...

Regards

Bob

> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of Chris Carboni
> Sent: Friday, October 12, 2001 11:41 PM
> To: dshield at dshield.org
> Subject: [Dshield] Any ideas?
> 
> 
> Yesterday one of our firewalls stopped responding instantly at 
> about 9:35 am
> Eastern.  It was rebooted and when the log was analyzed there 
> were thousands
> of entries like this ...
> 
> 
> 245503: Oct 11	09:38:51 (our firewall name here) kernel:	
> UDP refused
> 53 at 7f000001 -> 3534 at 7f000001 lo0
> 245504: Oct 11	09:38:51 (our firewall name here) kernel:	
> UDP refused
> 53 at 7f000001 -> 3535 at 7f000001 lo0
> 245505: Oct 11	09:38:51 (our firewall name here) kernel:	
> UDP refused
> 53 at 7f000001 -> 3536 at 7f000001 lo0
> 245506: Oct 11	09:38:51 (our firewall name here) kernel:	
> UDP refused
> 53 at 7f000001 -> 3549 at 7f000001 lo0
> 245507: Oct 11	09:38:51 (our firewall name here) kernel:	
> UDP refused
> 53 at 7f000001 -> 3560 at 7f000001 lo0
> 245508: Oct 11	09:38:52 (our firewall name here) kernel:	
> UDP refused
> 53 at 7f000001 -> 3561 at 7f000001 lo0
> 
> Is this consistent with the signature of known BIND attacks?
> 
> If not, does anyone have any idea what this is?
> 
> Thanks!
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> 




More information about the list mailing list