queries for MX of sexnet.com
From: Brian Collins (listbc_at_newnanutilities.org)
Date: 05/21/04
- Previous message: Rob Shein: "RE: Turnitinbot exploits webserver vulnerabilities?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Incidents list <incidents@securityfocus.com> Date: Fri, 21 May 2004 00:44:24 -0400
Howdy. I recently started logging queries on our DNS servers so I could
use a BIND graphing tool. In my curiosity, I started checking through
the queries recently, looking for anomalies, etc. One of the things I
noticed was a lot of queries for the MX of sexnet.com. If I query it
manually,their server responds only with the SOA, but no answer to the
MX query.
On one of our servers (internal only, for our cable modem customers with
RFC 1918 addresses), since last night (5/19/04) at 1900, there have been
12,768 queries from 21 unique hosts. On another server, from last
Thursday until Sunday at 0400 when the logs rotated, there were 156,000
such queries from 5 hosts. Since Sunday, one of those alone has done
207,000 of these queries. When we get these, a single host will do about
4-8 per second, then do it again within 5-20 seconds.
I Googled but saw no other reports of such activity. I'm wondering if
this is some sort of malware, attempts to DoS the mail server for
sexnet.com, etc. I don't yet have access to any of these client
machines, but may be able to get to one or two of them in a few days. I
did nmap one of them and got this (IP obscured):
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Interesting ports
on (a.b.c.d):
(The 1533 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
42/tcp open nameserver
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open loc-srv
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1026/tcp open nterm
1127/tcp open supfiledbg
1723/tcp open pptp
3389/tcp open msrdp
8080/tcp open http-proxy
Remote operating system guess: Windows Millenium Edition v4.90.3000
One of the other hosts may have an email worm. We block our cable modem
users from sending to tcp/25 (except on our mail servers) as a matter of
policy. This particular host is trying to hit several internet hosts on
tcp/25, and is of course failing. The owner of that IP has not
complained, so I doubt he even knows it's happening.
Packet dumps of a few of the queries are available at:
http://misweb.newnanutilities.org/packetdump/sexnet.dump
Thanks,
-- Brian Collins <listbc@newnanutilities.org> --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040517 ----------------------------------------------------------------------------
- Previous message: Rob Shein: "RE: Turnitinbot exploits webserver vulnerabilities?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
