%-> I've been getting messages like this in my logfiles pretty
%-> regularly as of
%-> late:
%->
%-> unapproved query from [216.33.87.10].62984 for ".": 3 Time(s)
%-> unapproved query from [216.33.87.10].62984 for "VERSION.BIND": 3 Time(s)
%->
%-> BIND is configured not to answer any external queries and I'm
%-> wondering if
%-> these are probes having to do with the BIND exploit that's been
%-> around for
%-> awhile. (And yes, my version is properly updated.) Anyone
%-> know if this is
%-> the case or what else they might mean?
Interestingly enough, I'm seeing a similar phenomenon, but instead of some
user at Exodus as in your case, it's Microsoft's Windows Update servers that
are pounding my name server. First, I got the "VERSION.BIND" probe, and
complained about that and it stopped. Then they moved onto querying for "."
and I complained about that too -- the queries stopped. Now they're querying
for the in-addr.arpa for my IP instead. Aaargh.
I asked what the purpose of the queries was, but got no good reply. It's
some "aggressive DNS scanning software" which doesn't quite make sense,
unless there's some kind of mapping of who uses Windows Update going on.
Version.Bind queries are other popular with crackers looking for an
exploitable version of BIND.
Think I'll just the packets from them in the future.
-- Juha
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
