[Dshield] reverse DNS pointing to localhost ?

Shaun shaun at shaunc.com
Fri Dec 12 21:15:03 GMT 2008


Whoever administers DNS for that IP block has misconfigured things so
that the IP resolves back to "localhost." I tried a couple of
neighboring IPs and they're resolving the same way, so the entire block
is probably affected. The good news, it's not your IDS.

-s

On Fri, 12 Dec 2008 10:14:49 +0100
Stephane Grobety <security at admin.fulgan.com> wrote:

> Hello folks.
> 
> 
> I don't know if there is still anyone around, but if there is, maybe
> someone can explain to me what I'm seeing here.
> 
> Basically, I have a server sitting outside my perimeter firewall
> (hosted in a collocation center). That server has a host-based firewall
> installed as well as an IPS.
> 
> Among the number of log entries created by the firewall and IPS, I
> found several that where refering to the server's one host name as
> source IP address. I was a bit surprised by this so I looked in more
> detail (to make sure the server itself wasn't infected by some nasty
> bug). The actual source IP address had nothing to do with any of the
> ones on the server: 123.30.51.252
> 
> I did a reverse on that IP and got
> 
> 
> PTR-record for 252.51.30.123.in-addr.arpa:
>     Points to = localhost
>     TTL = 67739 (18 hours, 48 minutes, 59 seconds)
> 
> It seems that, somehow, the IPS log subsystem replaced "localhost" in
> the log by the server host name.
> 
> The triggering packets are UDP to the SQL server port (1434) which are
> tagged as "slammer worm".
> 
> Anyone got an explanation ?
> 
> _______________________________________________
> Dshield mailing list
> Dshield at lists.sans.org
> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list




More information about the Dshield mailing list