[Dshield] reverse DNS pointing to localhost ?

Stephane Grobety security at admin.fulgan.com
Fri Dec 12 09:14:49 GMT 2008


Hello folks.


I don't know if there is still anyone around, but if there is, maybe
someone can explain to me what I'm seeing here.

Basically, I have a server sitting outside my perimeter firewall
(hosted in a collocation center). That server has a host-based firewall
installed as well as an IPS.

Among the number of log entries created by the firewall and IPS, I
found several that where refering to the server's one host name as
source IP address. I was a bit surprised by this so I looked in more
detail (to make sure the server itself wasn't infected by some nasty
bug). The actual source IP address had nothing to do with any of the
ones on the server: 123.30.51.252

I did a reverse on that IP and got


PTR-record for 252.51.30.123.in-addr.arpa:
    Points to = localhost
    TTL = 67739 (18 hours, 48 minutes, 59 seconds)

It seems that, somehow, the IPS log subsystem replaced "localhost" in
the log by the server host name.

The triggering packets are UDP to the SQL server port (1434) which are
tagged as "slammer worm".

Anyone got an explanation ?



More information about the Dshield mailing list