Hello all, Usually a pretty quiet server. I received several Logcheck emails which have numerous LAME server messages which I normally just ignore. However, I ran tail and I see there are literally 1000's of them that are coming through alphabetized? Looked at messages log for April 5th and there are over 1500:
<snip>... Apr 5 22:32:18 ns named[351]: Lame server on 'aacm.com' (in 'aacm.com'?): [211.232.149.47].53 'NS2.TWISTER.com' Apr 5 22:32:18 ns named[351]: Lame server on 'aacm.com' (in 'aacm.com'?): [64.49.211.88].53 'NS0.TWISTER.com' Apr 5 22:32:18 ns named[351]: Lame server on 'aacm.com' (in 'aacm.com'?): [211.232.149.40].53 'NS1.TWISTER.com' Apr 5 22:32:18 ns named[351]: Lame server on 'aahh.com' (in 'aahh.com'?): [216.21.234.25].53 'DNS29.NAMEBARGAIN.com' Apr 5 22:32:18 ns named[351]: Lame server on 'aahh.com' (in 'aahh.com'?): [216.21.226.25].53 'DNS30.NAMEBARGAIN.com' Apr 5 22:32:23 ns named[351]: Lame server on 'aahha.com' (in 'aahha.com'?): [212.160.67.252].53 'ELEET.WEBMEDIA.PL' Apr 5 22:32:23 ns named[351]: Lame server on 'aahha.com' (in 'aahha.com'?): [212.160.67.2].53 'GORDON.WEBMEDIA.PL' Apr 5 22:32:23 ns named[351]: Lame server on 'aalive.com' (in 'aalive.com'?): [130.101.183.31].53 'WORKSTAR.JOINTREE.com' Apr 5 22:32:36 ns named[351]: Lame server on 'aalter.com' (in 'aalter.com'?): [194.7.1.19].53 'AUTH00.NS.BE.UU.NET' Apr 5 22:32:37 ns named[351]: Lame server on 'aalter.com' (in 'aalter.com'?): [194.7.15.66].53 'AUTH50.NS.BE.UU.NET' Apr 5 22:32:37 ns named[351]: Lame server on 'aardvarkmaps.com' (in 'aardvarkmaps.com'?): [207.158.192.40].53 'NS.NAMESERVERS.NET' Apr 5 22:32:37 ns named[351]: Lame server on 'aardvarkmaps.com' (in 'aardvarkmaps.com'?): [209.41.31.13].53 'NS2.NAMESERVERS.NET' Apr 5 22:32:37 ns named[351]: Lame server on 'aarentals.com' (in 'aarentals.com'?): [209.41.31.13].53 'NS2.NAMESERVERS.NET' Apr 5 22:32:37 ns named[351]: Lame server on 'aarentals.com' (in 'aarentals.com'?): [209.41.31.14].53 'NS3.NAMESERVERS.NET' Apr 5 22:32:37 ns named[351]: Lame server on 'aarentals.com' (in 'aarentals.com'?): [207.158.192.40].53 'NS.NAMESERVERS.NET' Apr 5 22:32:51 ns named[351]: Lame server on 'aatron.com' (in 'aatron.com'?): [128.121.101.19].53 'NS3.BEST.com' Apr 5 22:32:51 ns named[351]: Lame server on 'aatron.com' (in 'aatron.com'?): [128.121.101.11].53 'NS1.BEST.com' Apr 5 22:32:51 ns named[351]: Lame server on 'aatron.com' (in 'aatron.com'?): [161.58.9.11].53 'NS2.BEST.com' Apr 5 22:32:52 ns named[351]: Lame server on 'abbeylife.com' (in 'abbeylife.com'?): [194.119.128.71].53 'NS1.HS0.U-NET.NET' Apr 5 22:32:53 ns named[351]: Lame server on 'abbeylife.com' (in 'abbeylife.com'?): [194.119.128.70].53 'NS0.HS0.U-NET.NET' Apr 5 22:32:56 ns named[351]: Lame server on 'aaysa.com' (in 'aaysa.com'?): [210.221.137.200].53 'NS.LIVEDOMAIN.CO.KR' Apr 5 22:33:00 ns named[351]: Lame server on 'aaysa.com' (in 'aaysa.com'?): [211.233.36.79].53 'NS3.KOREADOMAIN.com' Apr 5 22:33:06 ns named[351]: Lame server on 'abbotthep.com' (in 'abbotthep.com'?): [130.36.31.5].53 'ROSSNS2.ABBOTT.com' Apr 5 22:33:06 ns named[351]: Lame server on 'abbotthep.com' (in 'abbotthep.com'?): [130.36.62.200].53 'ABTNS2.ABBOTT.com' Apr 5 22:33:06 ns named[351]: Lame server on 'abbotthep.com' (in 'abbotthep.com'?): [130.36.31.4].53 'ROSSNS.ABBOTT.com' Apr 5 22:33:06 ns named[351]: Lame server on 'abbotthep.com' (in 'abbotthep.com'?): [130.36.61.200].53 'ABTNS.ABBOTT.com' Apr 5 22:33:08 ns named[351]: Lame server on 'abbotthematology.com' (in 'abbotthematology.com'?): [130.36.61.200].53 'ABTNS.ABBOTT.com' Apr 5 22:33:08 ns named[351]: Lame server on 'abbotthematology.com' (in 'abbotthematology.com'?): [130.36.31.4].53 'ROSSNS.ABBOTT.com' Apr 5 22:33:08 ns named[351]: Lame server on 'abbotthematology.com' (in 'abbotthematology.com'?): [130.36.62.200].53 'ABTNS2.ABBOTT.com' Apr 5 22:33:08 ns named[351]: Lame server on 'abbotthematology.com' (in 'abbotthematology.com'?): [130.36.31.5].53 'ROSSNS2.ABBOTT.com' This is just a small list from messages. I see the times are just seconds apart. What is going on? Where to start? Also I saw this one several times: Apr 5 03:28:53 ns named[351]: wrong ans. name (incoming.broadwing.net != incoming1.broadwing.net) Which started around the same time. Any thoughts??? TIA, Max~ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
