[Dshield] I found the Attackers from 127.0.0.1

John Sage jsage at finchhaven.com
Tue Mar 9 15:30:49 GMT 2004


No.

On Tue, Mar 09, 2004 at 06:52:37AM +0430, Mr Babak Memari wrote:
> From: "Mr Babak Memari" <memari at myrealbox.com>
> To: list at dshield.org
> Date: Tue, 09 Mar 2004 06:52:37 +0430
> Subject: [Dshield] I found the Attackers from  127.0.0.1
> 
> I found the Attackers from  127.0.0.1
> 
> all picture are here
> http://www.geocities.com/neozata/index.html 


What you "found" is a domain name that, for whatever reason, has an A
record of 127.0.0.1:

[jsage at sparky /storage/virii] $ dig @greatwall any www.coderz.net
 
; <<>> DiG 9.2.1 <<>> @greatwall any www.coderz.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63240
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
 
;; QUESTION SECTION:
;www.coderz.net.                        IN      ANY
 
;; ANSWER SECTION:
www.coderz.net.         2400    IN      A       127.0.0.1
 
;; AUTHORITY SECTION:
coderz.net.             259200  IN      NS      ns1.mydomain.com.
coderz.net.             259200  IN      NS      ns2.mydomain.com.
coderz.net.             259200  IN      NS      ns3.mydomain.com.
coderz.net.             259200  IN      NS      ns4.mydomain.com.
 
;; Query time: 185 msec
;; SERVER: 192.168.1.2#53(greatwall)
;; WHEN: Tue Mar  9 07:22:50 2004
;; MSG SIZE  rcvd: 132


That is a long way from proof that the specific packet your firewall
is showing actually came from that domain.

The use of "127.0.0.1" is often used to turn off a domain name for
some reason or other...


- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list