127.in-addr.arpa
dheld at my-deja.com
dheld at my-deja.com
Mon May 29 05:50:36 UTC 2000
Hello,
If this is a FAQ, please steer me in the right direction. I recently
had a run-in with a cracker that exploited flaws in BIND 8.2.1. After
mopping up, I noticed that named kept trying to do a zone transfer with
206.10.45.232, which does not show up in the WHOIS database or with
nslookup. The zone it was trying to transfer was 127.in-addr.arpa.
This seemed unusual to me, because I thought it should be
0.0.127.in-addr.arpa, and also because named.conf listed my nameserver
as a slave for this zone, with the master being the IP listed above.
This seemed *rather* suspicious to me, and I am wondering if this is an
exploit in which an outside server transfers a zone into my server with
outside addresses that look like local addresses?
I have only had BIND 8.2.1 or later on my server, but the 127 file
contains this:
; BIND version named 8.1.2 Thu Sep 24 02:47:08 EDT 1998
; BIND version root at porky.redhat.com:/usr/src/bs/BUILD/src/bin/named
; zone '127.in-addr.arpa' last serial 0
; from 206.10.45.232 at Fri Apr 23 18:40:02 1999
$ORIGIN in-addr.arpa.
127 IN SOA localhost. root.localhost. (
1999042300 604800 86400 2419200 604800 )
IN NS localhost.
$ORIGIN 0.0.127.in-addr.arpa.
1 IN PTR localhost.
Which I find to be very bizarre, since BIND 8.1.2 has never run on this
server. I'm not sure if this file even needs to be on my system,
since I have a reverse lookup file for my actual domain. Can I
safely delete this file? Any comments would be appreciated.
Dave
Sent via Deja.com http://www.deja.com/
Before you buy.
More information about the bind-users
mailing list