OpenNIC "attack?"

From: Brett Glass (brett_at_lariat.org)
Date: 10/23/03

  • Next message: Tri Huynh: "Re: Need help to find web server attacks signature" 
    Date: Wed, 22 Oct 2003 19:53:06 -0600
To: incidents@securityfocus.com

    Lately, a number of our users have been getting messages in their server
    logs that look like this:

    Oct 5 23:42:47 www named[153]: check_hints: no A records for
    ns11.opennic.glue class 1 in hints
    Oct 5 23:42:47 www named[153]: check_hints: no A records for
    ns0.opennic.glue class 1 in hints
    Oct 5 23:42:47 www named[153]: check_hints: no A records for
    ns1.opennic.glue class 1 in hints
    Oct 5 23:42:47 www named[153]: check_hints: no A records for
    ns2.opennic.glue class 1 in hints
    Oct 5 23:42:47 www named[153]: check_hints: no A records for
    ns3.opennic.glue class 1 in hints
    Oct 5 23:42:47 www named[153]: check_hints: no A records for
    ns4.opennic.glue class 1 in hints
    Oct 5 23:42:47 www named[153]: check_hints: no A records for
    ns6.opennic.glue class 1 in hints
    Oct 5 23:42:47 www named[153]: check_hints: no A records for
    ns7.opennic.glue class 1 in hints
    Oct 5 23:42:47 www named[153]: check_hints: no A records for
    ns8.opennic.glue class 1 in hints
    Oct 5 23:42:47 www named[153]: check_hints: no A records for
    ns10.opennic.glue class 1 in hints

    More recently, one of them reported that the /var partition on his server
    had overflowed because of a flood of log messages of this type,
    preventing him from receiving e-mail until he manually deleted some logs.

    Research has revealed that a nasty bit of spyware called "New.Net" has
    been modifying Windows systems to go to OpenNIC for DNS. Could this be
    what's causing these error messages? If so, what's the best way to deal
    with the problem? We'd rather not have all the junk in the logs. We would
    like (if possible) just to block the bogus requests automatically and get
    a single message warning us that someone's infected.

    --Brett Glass

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: Tri Huynh: "Re: Need help to find web server attacks signature"

    Relevant Pages

    • Re[2]: Samba Authentication Hassles for Mac
      ... the logs in /var/log/samba for hints, and tell us what you see. ... it looks like it's a basic MacOSX problem - or a Fedora smb.conf problem that the Mac chokes on - because nobody in the Windows world has a problem connecting to the box I was aiming at. ...
      (Fedora)
    • Re: Samba Authentication Hassles for Mac
      ... On Friday 10 November 2006 20:15, Lance Drake wrote: ... the logs in /var/log/samba for hints, and tell us what you see. ... probably want to strip out most of the comments to leave a usable small file, ...
      (Fedora)
    • Re: Slow NFS - just *happened*
      ... the slowdown? ... have you checked the logs for hints? ...
      (alt.os.linux.suse)
    • Re: Samba Authentication Hassles for Mac
      ... Lance Drake wrote: ... but cannot get the Mac OSX box past the "Name or Password does not match" error. ... Look at the logs in /var/log/samba for hints, and tell us what you see. ...
      (Fedora)
    • [OT?] etch + java 1.5.12 + jboss 4.2
      ... I'm open to any hints, I just can't see what I've done wrong, memory ... Server VM 1.5.0_12-b04,Sun Microsystems Inc. ... Caused by: javax.management.MBeanRegistrationException: preRegister() ... jboss-b: jboss-b ...
      (Debian-User)