log file full of t-syr.com record!
Giobbi Piero
piero at news.fb.se
Wed Jul 4 09:03:01 UTC 2007
Hi.
I don't know really, had the same problem when i used it. Then i
notised when in ran named in foreground that it didn't recognised
"versions" as an option at all, i think it sad "unknown option" or
somthing.
Maybe its an old option? Don't know..
p
On 3 jul 2007, at 16.44, Vishwas wrote:
> Hi Giobbi and Mark,
>
> 60.32.80.164 is sending continuous SSH requests to one of the NICs on
> my machine. And this NIC is asking the local DNS, running on the
> localhost, about forward and reverse lookups for incoming SSH
> requests.
>
> I thought of writing an iptable rule to restrict this above IP from
> talking to my SSH port. I absent mindedly locked myself out of the
> machine :(
>
> Mark: It seems the above machine is also a Linux machine as its source
> port was also getting repeated several times in successive incoming
> packets.
>
> Giobbi: Why is "versions 2" option under "logging" section stopping
> the logs being written to the log file?
>
> kind regards,
> Vishwas.
>
> On 7/3/07, Mark Andrews <Mark_Andrews at isc.org> wrote:
>>
>>> Hi All,
>>> My BIND log is full of following entries.
>>>
>>> 03-Jul-2007 20:10:48.352 queries: info: client 127.0.0.1#38736:
>>> query:
>>> t-syr.com IN A +
>>> 03-Jul-2007 20:10:51.760 queries: info: client 127.0.0.1#38736:
>>> query:
>>> 164.80.32.60.in-addr.arpa IN PTR +
>>> 03-Jul-2007 20:10:51.761 queries: info: client 127.0.0.1#38736:
>>> query:
>>> t-syr.com IN A +
>>> 03-Jul-2007 20:10:52.041 queries: info: client 127.0.0.1#38736:
>>> query:
>>> 164.80.32.60.in-addr.arpa IN PTR +
>>> 03-Jul-2007 20:10:52.042 queries: info: client 127.0.0.1#38736:
>>> query:
>>> t-syr.com IN A +
>>> 03-Jul-2007 20:10:55.239 queries: info: client 127.0.0.1#38736:
>>> query:
>>> 164.80.32.60.in-addr.arpa IN PTR +
>>> 03-Jul-2007 20:10:55.241 queries: info: client 127.0.0.1#38736:
>>> query:
>>> t-syr.com IN A +
>>> 03-Jul-2007 20:10:55.247 queries: info: client 127.0.0.1#38736:
>>> query:
>>> 164.80.32.60.in-addr.arpa IN PTR +
>>> 03-Jul-2007 20:10:55.249 queries: info: client 127.0.0.1#38736:
>>> query:
>>> t-syr.com IN A +
>>> 03-Jul-2007 20:10:58.620 queries: info: client 127.0.0.1#38736:
>>> query:
>>> 164.80.32.60.in-addr.arpa IN PTR +
>>> 03-Jul-2007 20:10:58.621 queries: info: client 127.0.0.1#38737:
>>> query:
>>> 164.80.32.60.in-addr.arpa IN PTR +
>>> 03-Jul-2007 20:10:58.622 queries: info: client 127.0.0.1#38738:
>>> query:
>>> t-syr.com IN A +
>>> 03-Jul-2007 20:10:58.624 queries: info: client 127.0.0.1#38739:
>>> query:
>>> t-syr.com IN A +
>>>
>>>
>>> The port numbers 387** are opened by user "bind".
>>> This is giving me a feeling that may be my machine is compromised!?
>>> Why should BIND daemon continuously ask for t-syr.com ?? Probably
>>> these DNS query packets are spoofed packets. Any comments?
>>
>> I suggest that you show how you worked that out.
>>
>> What I am see is local clients doing a reverse lookups on
>> 60.32.80.164 then validating the response. The above port
>> pattern is typical of a Linux kernel that keep reissuing
>> the same port as long as it is free when the next socket
>> is opened. This is really bad behaviour on the part of
>> the kernel.
>>
>>> --
>>> Best Regards,
>>> Vishwas.
>>> ivishwas.googlepages.com
>>>
>>> I know quite certainly that I myself have no special talent;
>>> curiosity, obsession and dogged endurance, combined with
>>> self-criticism have brought me to my ideas. - Albert Einstein
>>>
>>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>>
>
>
> --
> Best Regards,
> Vishwas.
> ivishwas.googlepages.com
>
> I know quite certainly that I myself have no special talent;
> curiosity, obsession and dogged endurance, combined with
> self-criticism have brought me to my ideas. - Albert Einstein
>
>
More information about the bind-users
mailing list