Lots of Unapproved AXFR's in the logs lately...anyone else?
Markus Stumpf
maex-bind-users at Space.Net
Wed Aug 23 23:40:03 UTC 2000
On Wed, Aug 23, 2000 at 06:47:23AM +0000, Lee S. Whatley wrote:
> published a program to check for name servers that allow anyone to do a
> zone transfer and the script kiddies are just all playing with it, or is
> there something big happening like another possible DDOS attack brewing?
> Is anyone else experiencing this same occurrance?
This program is available for a long time. Its called "mscan".
They use it to do AXFRs and then analyze the results and search for
keywords like "www" and "mail" (and thus they also get things like
"my-www.example.com" which would otherwise be hard to guess. Also
thinking is that "hidden" webservers are not quite as good maintained
as the "official" ones.
So they take this information and start other scripts that test e.g.
against exploits in well known CGIs etc.
I'am seeing about 1-4 of those attacks every day for more than one
year now (we're hosting about 12000 .de domains) and each attack
usually consists of up to 500 AXFR requests, sometimes more.
\Maex
--
SpaceNet GmbH | http://www.Space.Net/ | Stress is when you wake
Research & Development | mailto:maex-sig at Space.Net | up screaming and you
Joseph-Dollinger-Bogen 14 | Tel: +49 (89) 32356-0 | realize you haven't
D-80807 Muenchen | Fax: +49 (89) 32356-299 | fallen asleep yet.
More information about the bind-users
mailing list