[Dshield] Possible Intrusion Attempt?

Shdwdrgn forum at dshield.org
Thu Dec 15 20:41:59 GMT 2005



Every now and then I scan google for my domain name and IP addresses, just to verify someone hasn't hacked into my servers and started doing "bad things".  I was surprised today to run across this posting, but after reading the follow-ups I felt I should mention a couple of relevant points...

First off, as mentioned previously, I do run a public DNS server.  I offer an open tier-2 server as part of OpenNic.  If the original poster was using OpenNic at the time, then yes it is possible they may see some stray packets from my server bouncing through the firewall.

Since I have been listed with OpenNic, I have noticed a huge amount of DNS requests for domains that did not exist.  After watching the mangled names for awhile and talking to others online, I came to the conclusion that these lookups were actually coming from zombies.  I confirmed that all of the requests were under the control of a single entity when I observered on several occasions that ALL of the lookups would suddenly stop for about an hour, then instantly start up again.  Probably someone loading up the next spam run?  Anyway I wrote a bash script and set up iptables to catch the obvious offenders (what are the odds that 6 different IP addresses would legitimately request the same bad domain name in a 1-second period?) and block them for a period of time from my servers.  The results were immediate and my script generally maintains around 1000 blocked IP's at any time, not to mention the server is no longer being hammered to it's limits.

So my second theory is that possibly the original poster had a trojan on his system at the time of his posting, and it was this trojan which was making the DNS requests that were logged by ZoneAlarm.  This information is probably too late to be of any use to him, but may provide another avenue of investigation to others who see similar unknown DNS packets being logged.  
This message was sent via the web forum at
http://forum.dshield.org



More information about the list mailing list