[Dshield] reverse DNS pointing to localhost ?
shaun at shaunc.com
Fri Dec 12 21:15:03 GMT 2008
Whoever administers DNS for that IP block has misconfigured things so
that the IP resolves back to "localhost." I tried a couple of
neighboring IPs and they're resolving the same way, so the entire block
is probably affected. The good news, it's not your IDS.
On Fri, 12 Dec 2008 10:14:49 +0100
Stephane Grobety <security at admin.fulgan.com> wrote:
> Hello folks.
> I don't know if there is still anyone around, but if there is, maybe
> someone can explain to me what I'm seeing here.
> Basically, I have a server sitting outside my perimeter firewall
> (hosted in a collocation center). That server has a host-based firewall
> installed as well as an IPS.
> Among the number of log entries created by the firewall and IPS, I
> found several that where refering to the server's one host name as
> source IP address. I was a bit surprised by this so I looked in more
> detail (to make sure the server itself wasn't infected by some nasty
> bug). The actual source IP address had nothing to do with any of the
> ones on the server: 22.214.171.124
> I did a reverse on that IP and got
> PTR-record for 252.51.30.123.in-addr.arpa:
> Points to = localhost
> TTL = 67739 (18 hours, 48 minutes, 59 seconds)
> It seems that, somehow, the IPS log subsystem replaced "localhost" in
> the log by the server host name.
> The triggering packets are UDP to the SQL server port (1434) which are
> tagged as "slammer worm".
> Anyone got an explanation ?
> Dshield mailing list
> Dshield at lists.sans.org
> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
More information about the Dshield