127.in-addr.arpa

[dheld at my-deja.com]

Hello,

If this is a FAQ, please steer me in the right direction.  I recently
had a run-in with a cracker that exploited flaws in BIND 8.2.1.  After
mopping up, I noticed that named kept trying to do a zone transfer with
206.10.45.232, which does not show up in the WHOIS database or with
nslookup.  The zone it was trying to transfer was 127.in-addr.arpa.
This seemed unusual to me, because I thought it should be
0.0.127.in-addr.arpa, and also because named.conf listed my nameserver
as a slave for this zone, with the master being the IP listed above.
This seemed *rather* suspicious to me, and I am wondering if this is an
exploit in which an outside server transfers a zone into my server with
outside addresses that look like local addresses?

I have only had BIND 8.2.1 or later on my server, but the 127 file
contains this:

; BIND version named 8.1.2 Thu Sep 24 02:47:08 EDT 1998
; BIND version root at porky.redhat.com:/usr/src/bs/BUILD/src/bin/named
; zone '127.in-addr.arpa'   last serial 0
; from 206.10.45.232   at Fri Apr 23 18:40:02 1999
$ORIGIN in-addr.arpa.
127             IN      SOA     localhost. root.localhost. (
                1999042300 604800 86400 2419200 604800 )
                IN      NS      localhost.
$ORIGIN 0.0.127.in-addr.arpa.
1               IN      PTR     localhost.

Which I find to be very bizarre, since BIND 8.1.2 has never run on this
server.  I'm not sure if this file even needs to be on my system,
since I have a reverse lookup file for my actual domain.  Can I
safely delete this file?  Any comments would be appreciated.

Dave


Sent via Deja.com http://www.deja.com/
Before you buy.