[Snort-users] named scan -> iquery -> version probe from korea

Mikael Schmidt mikael.schmidt at ...718...
Tue Nov 21 03:25:55 EST 2000


I too have seen this, from an IP in Taiwan though. I do believe that there is 
a fairly new exploit for named, although I'm not that sure it uses iquery... 
there were a DoS discovered in bind-8.2.2-p5 when handling zxfr's that has 
been fixed in 8.2.2-p7 but that isn't what were seeing here... anyone have 
any further information?


On Sun, 19 Nov 2000, Mark Rowlands wrote:
> On Saturday 18 November 2000 21:17, DmuZ wrote:
> > Hello,
> >
> > I have been noticing a large number of the following scan sequence from
> > this IP in Korea. I think I remember reading about others who experienced
> > this. I first noticed this activity about 3 weeks ago. I just got a bunch
> > more last night.
> >
> > All the scans use the same SYN-FIN scan to port 53 then follow up with
> > iquery and named version check if it is open.
> >
> > Paste from snortsnarf:
> >
> > <snip>
> >
> > [**] SCAN-SYN FIN [**]
> > 11/18-12:54:26.832800 211.56.35.221:53-> xx.yy.zz.aa:53
> > TCP TTL:29 TOS:0x0 ID:39426
> > ******SF Seq: 0x12FF2EAB Ack: 0x47E750C7 Win: 0x404
> >
> > [**] IDS277 - NAMED Iquery Probe [**]
> > 11/18-12:54:29.489328 211.56.35.221:4872-> xx.yy.zz.aa:53
> > UDP TTL:51 TOS:0x0 ID:36414
> > Len: 35
> >
> > [**] IDS278 - SCAN -named Version probe [**]
> > 11/18-12:54:29.948289 211.56.35.221:4872-> xx.yy.zz.aa:53
> > UDP TTL:51 TOS:0x0 ID:36417
> > Len: 38
> >
> > </snip>
> >
> >
> > Have others been seeing these scans as well?
>
> yep
>
> mine was from @home tho
>
> > DmuZ
> > --------------------
> > dmuz.angrypacket.com
> > --------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Mikael Schmidt - mikael.schmidt at ...718...
tfn:	+46(0)46 - 222 47 35
mob:	+46(0)707 - 46 60 56



More information about the Snort-users mailing list