9.1 - Security Problem?
Mark
mark at spectek.co.nz
Tue Apr 3 20:40:33 UTC 2001
Sorry if this got posted twice.
I am using bind 9.1.1rc4 on both master and slave name servers on our
network and noticed the following being logged and could not find any info
on what the causes were, if it was someone trying to attack the servers or
their machine issuing wrong requests, any help would be appreciated:
log (IP addresses changed to protect the innocent :-)
queries: info: client 210.x.x.x #50693: query: 1082331758610-3 IN TKEY
queries: info: client 210.x.x.x #50694: query: 1082331758610-2 IN TKEY
queries: info: client 210.x.x.x #50695: query: 1082331758610-2 IN TKEY
queries: info: client 202.x.x.x #65105: query:
_kerberos._udp.dns.psinz.co.nz IN SOA
security: error: client 210.x.x.x #50826: update denied
queries: info: client 210.x.x.x #50696: query: 1082331758610-3 IN TKEY
queries: info: client 210.x.x.x#50697: query: 1082331758610-2 IN TKEY
queries: info: client 210.x.x.x#50698: query: 1082331758610-2 IN TKEY
security: error: client 210.x.x.x #50829: update denied
queries: info: client 210.x.x.x #50699: query: 1082331758610-3 IN TKEY
queries: info: client 210.x.x.x #50700: query: 1082331758610-2 IN TKEY
queries: info: client 210.x.x.x #50701: query: 1082331758610-2 IN TKEY
queries: info: client 202.x.x.x #65105: query: _kpasswd._udp.dns.psinz.co.nz
IN SOA
security: error: client 210.x.x.x #50832: update denied
queries: info: client 210.x.x.x #50702: query: 1082331758610-3 IN TKEY
queries: info: client 210.x.x.x #50703: query: 1082331758610-2 IN TKEY
queries: info: client 210.x.x.x #50704: query: 1082331758610-2 IN TKEY
queries: info: client 202.x.x.x #65105: query:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.dns.psinz.co.nz IN
SOA
security: error: client 210.x.x.x #50835: update denied
and so on and in the sys log
Mar 30 09:47:44 jordan named[125]: client 210.x.x.x#50295: update denied
Mar 30 10:16:05 jordan named[125]: client 210.x.x.x#50317: update denied
Mar 30 10:16:22 jordan named[125]: client 210.x.x. #50320: update denied
Mar 30 10:16:39 jordan named[125]: client 210.x.x.xx#50323: update denied
This went on for over 30 hours straight and I eventually filtered out the ip
address range at the external router. I ran nmap on the ip address and of
the four ports open, this person was running pcanywhere host and remote. It
seems to me that there were 2 ip addresses involved.
Am I being paranoid for no reason?
Mark
More information about the bind-users
mailing list