[Snort-users] Suspicious DNS query, et al.

Neil Dickey neil at ...1633...
Tue Apr 3 09:58:16 EDT 2001


Johnathan Corgan <jcorgan at ...1638...> wrote asking:

>The following two packets were received this AM and logged 
>by snort:
[ ... ]
>The first triggered IDS277 (named-iquery-probe), but the second
>was only logged because I happened to be profiling dns server usage
>and was logging all dns requests to this host anyway.
>
>Any ideas as to what it is? 

And then "Ball, Darryl" <dball at ...1729...> wrote asking:

Over the past 24 hours SNORT has indicated that I have recieved 1000
overflow-noop-x86 attempts. Here is the is the packet data.  Any ideas whats
running here? 
[ ... ]

I can't say what the nature of the attack against Darryl's system
was, but I can say that in the 24 hours just ended there have been
very heavy scans/attacks occurring.  The information I have is that
they have been particularly directed at academic sites, but that
impression may simply result from lack of data.  An acquaintance
who handles large weather data feeds to universities reports that
his lines have been affected by the hacks.

Ports attacked have been 53 ( DNS ), 111 ( rpcbind ), 515 ( line
printer ), 21 ( FTP ), and 3879 ( ??? ).  The source machines appear
to have been located in Korea, China, Japan, the Phillippines, Hong
Kong, and Australia.  In this country, Arizona State University
appears to have been a source.

At any rate, that's how it looks on Tuesday morning.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list