[Dshield] I found the Attackers from 127.0.0.1
jsage at finchhaven.com
Tue Mar 9 15:30:49 GMT 2004
On Tue, Mar 09, 2004 at 06:52:37AM +0430, Mr Babak Memari wrote:
> From: "Mr Babak Memari" <memari at myrealbox.com>
> To: list at dshield.org
> Date: Tue, 09 Mar 2004 06:52:37 +0430
> Subject: [Dshield] I found the Attackers from 127.0.0.1
> I found the Attackers from 127.0.0.1
> all picture are here
What you "found" is a domain name that, for whatever reason, has an A
record of 127.0.0.1:
[jsage at sparky /storage/virii] $ dig @greatwall any www.coderz.net
; <<>> DiG 9.2.1 <<>> @greatwall any www.coderz.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63240
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;www.coderz.net. IN ANY
;; ANSWER SECTION:
www.coderz.net. 2400 IN A 127.0.0.1
;; AUTHORITY SECTION:
coderz.net. 259200 IN NS ns1.mydomain.com.
coderz.net. 259200 IN NS ns2.mydomain.com.
coderz.net. 259200 IN NS ns3.mydomain.com.
coderz.net. 259200 IN NS ns4.mydomain.com.
;; Query time: 185 msec
;; SERVER: 192.168.1.2#53(greatwall)
;; WHEN: Tue Mar 9 07:22:50 2004
;; MSG SIZE rcvd: 132
That is a long way from proof that the specific packet your firewall
is showing actually came from that domain.
The use of "127.0.0.1" is often used to turn off a domain name for
some reason or other...
"Mad cow? You'd be mad too, if someone was trying to eat you."
More information about the list