James Knott wrote: > david rankin wrote: >> Mates, >> >> I am experiencing an excessive load from the internet that looks >> like some kind of attack. The log entries that repeat over and over are: >> >> Apr 22 11:14:54 bonza proftpd[10488]: bonza.rbpllc.com >> (216.101.241.110[216.101.241.110]) - FTP session opened. >> Apr 22 11:14:54 bonza proftpd[10488]: bonza.rbpllc.com >> (216.101.241.110[216.101.241.110]) - no such user 'alexander' >> Apr 22 11:14:55 bonza last message repeated 2 times >> Apr 22 11:14:55 bonza proftpd[10488]: bonza.rbpllc.com >> (216.101.241.110[216.101.241.110]) - FTP session closed. >> Apr 22 11:14:55 bonza named[5250]: unexpected RCODE (SERVFAIL) >> resolving '110.241.101.216.in-addr.arpa/PTR/IN': 66.76.2.130#53 >> Apr 22 11:14:56 bonza named[5250]: unexpected RCODE (SERVFAIL) >> resolving '110.241.101.216.in-addr.arpa/PTR/IN': 68.1.208.30#53 >> Apr 22 11:14:56 bonza named[5250]: unexpected RCODE (SERVFAIL) >> resolving '110.241.101.216.in-addr.arpa/PTR/IN': 68.1.208.25#53 >> Apr 22 11:14:56 bonza named[5250]: unexpected RCODE (REFUSED) >> resolving '110.241.101.216.in-addr.arpa/PTR/IN': 63.192.50.218#53 >> Apr 22 11:14:57 bonza named[5250]: unexpected RCODE (REFUSED) >> resolving '110.241.101.216.in-addr.arpa/PTR/IN': 198.69.181.18#53 >> Apr 22 11:14:57 bonza named[5250]: lame server resolving >> '110.241.101.216.in-addr.arpa' (in '241.101.216.in-addr.arpa'?): >> 206.13.29.11#53 >> Apr 22 11:14:57 bonza named[5250]: lame server resolving >> '110.241.101.216.in-addr.arpa' (in '241.101.216.in-addr.arpa'?): >> 206.13.28.11#53 >> Apr 22 11:14:57 bonza named[5250]: unexpected RCODE (SERVFAIL) >> resolving '110.241.101.216.in-addr.arpa/PTR/IN': 68.1.208.25#53 >> Apr 22 11:14:58 bonza named[5250]: unexpected RCODE (SERVFAIL) >> resolving '110.241.101.216.in-addr.arpa/PTR/IN': 68.1.208.30#53 >> Apr 22 11:14:58 bonza named[5250]: unexpected RCODE (SERVFAIL) >> resolving '110.241.101.216.in-addr.arpa/PTR/IN': 66.76.2.130#53 >> Apr 22 11:14:58 bonza named[5250]: unexpected RCODE (REFUSED) >> resolving '110.241.101.216.in-addr.arpa/PTR/IN': 63.192.50.218#53 >> Apr 22 11:14:59 bonza named[5250]: unexpected RCODE (REFUSED) >> resolving '110.241.101.216.in-addr.arpa/PTR/IN': 198.69.181.18#53 >> Apr 22 11:14:59 bonza named[5250]: lame server resolving >> '110.241.101.216.in-addr.arpa' (in '241.101.216.in-addr.arpa'?): >> 206.13.29.11#53 >> Apr 22 11:14:59 bonza named[5250]: lame server resolving >> '110.241.101.216.in-addr.arpa' (in '241.101.216.in-addr.arpa'?): >> 206.13.28.11#53 >> >> The biggest question is what can I do to stop this?? Is there an >> effective firewall rule or IP table recipe that will help?? The load >> caused the server to lock up last night causing a great deal of >> havoc. Any wise advise would be welcomed. > > Do you actually have an FTP server available? If so, you may want to > consider a more secure method such as sftp or scp. If not, your > firewall should be configured to block all such attempts. If you need > to have the server available, you can configure the firewall to > restrict the acceptable addresses or block known hostile sites. > Without knowing more about your situation, I can't be more specific. > > > The first two lines suggest an attempt to get in via FTP. The rest is a little more intriguing ....
I may be wrong here but port 53 is a DNS resolution query...the lame server bit suggests that there is something wrong with DNS server the machine is making a resolution request against..... I would take hard look at your DNS settings.. if you are sitting behind a DSL router with default password settings there was exploit that was reported that could you use javascript to reset the routers DNS settings... on the other hand this might not be your problem and your ISPs DNS server may have a problem... I would use Dig to find out what is going on... -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
