Bind: unapproved query (version.bind) Script kiddies?

From: David La Croix (dlacroix@cowpie.acm.vt.edu)
Date: 01/30/01

• Next message: Jason DiCioccio: "RE: Bind: unapproved query (version.bind) Script kiddies?"
• Previous message: Scott Hilton: "RE: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ?"
• Next in thread: Jason DiCioccio: "RE: Bind: unapproved query (version.bind) Script kiddies?"
• Maybe reply: Jason DiCioccio: "RE: Bind: unapproved query (version.bind) Script kiddies?"
• Maybe reply: David La Croix: "Re: Bind: unapproved query (version.bind) Script kiddies?"
• Reply: Kris Kennaway: "Re: Bind: unapproved query (version.bind) Script kiddies?"
• Maybe reply: Roger Marquis: "Re: Bind: unapproved query (version.bind) Script kiddies?"
• Reply: Rodney W. Grimes: "Re: Bind: unapproved query (version.bind) Script kiddies?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: David La Croix <dlacroix@cowpie.acm.vt.edu>
To: freebsd-security@freebsd.org
Date: Tue, 30 Jan 2001 16:45:04 -0600 (CST)

I just noticed the following in my logfiles: (/var/log/messages)

it was running Bind 8.2.2-

Jan 26 22:37:43 mildred named[41908]: unapproved query from [208.44.147.11].1584
 for "version.bind"
[repeat 23 more times from the same IP]

Jan 27 01:44:42 mildred named[41908]: unapproved query from [208.139.163.15].273
4 for "version.bind"
[repeat 32 more times from the same IP]

Could this be script kiddie activity? This was before I upgraded to 8.2.3,
and before the CERT alert came out.

What I don't get is why the unapproved query repeated so many times, within
(according to the timestamp) 3 seconds on both occasions.

I will note: this activity goes back through about November of 2000, seemingly from different IP addresses.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

• Next message: Jason DiCioccio: "RE: Bind: unapproved query (version.bind) Script kiddies?"
• Previous message: Scott Hilton: "RE: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ?"
• Next in thread: Jason DiCioccio: "RE: Bind: unapproved query (version.bind) Script kiddies?"
• Maybe reply: Jason DiCioccio: "RE: Bind: unapproved query (version.bind) Script kiddies?"
• Maybe reply: David La Croix: "Re: Bind: unapproved query (version.bind) Script kiddies?"
• Reply: Kris Kennaway: "Re: Bind: unapproved query (version.bind) Script kiddies?"
• Maybe reply: Roger Marquis: "Re: Bind: unapproved query (version.bind) Script kiddies?"
• Reply: Rodney W. Grimes: "Re: Bind: unapproved query (version.bind) Script kiddies?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Bind: unapproved query (version.bind) Script kiddies? ... Subject: Bind: unapproved query Script kiddies? ... [repeat 23 more times from the same IP] ... Could this be script kiddie activity? ... with "unsubscribe freebsd-security" in the body of the message ... (FreeBSD-Security) Re: Bind: unapproved query (version.bind) Script kiddies? ... an active script kiddy. ... He is seaching for broken named's and hitting ... > [repeat 23 more times from the same IP] ... > Could this be script kiddie activity? ... (FreeBSD-Security) Re: Bind: unapproved query (version.bind) Script kiddies? ... > it was running Bind 8.2.2- ... > [repeat 23 more times from the same IP] ... they're querying you for the version of BIND you're ... with "unsubscribe freebsd-security" in the body of the message ... (FreeBSD-Security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2001-01