[Snort-users] DNS server keeps communicating with Darkprofits.net and darkprofits.com

Grime, Richard S richard.grime at ...8411...
Tue Feb 3 14:41:26 EST 2004


...and the DarkProfits requests themselves probably come from the DDoS
component of one of the MiMail variants, e.g.

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c@...11053...5...
html


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Sean Lazar
Sent: 03 February 2004 01:47
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] DNS server keeps communicating with
Darkprofits.net and darkprofits.com


In general your DNS servers should not serve domains other than those 
they are authoritative for.

If you are using Bind (eight and above?) you can use the allow recursion

option to limit recursion to friendly ip addresses. For example:

acl our-nets { XXX.XXX.XXX.0/24; };
options {
    allow-recursion { our-nets; };
}

Upgrading the latest BIND version is strongly recommended.
bind reference manual:
http://www.nominum.com/content/documents/bind9arm.pdf


Marlon.Richards at ...11130... wrote:
>
>Hi guys. I know this is the SNORT mailing list but i am just wondering 
>if i could get some help here. I found that my DNS server is being 
>asked to make numerous resolutions of darkprofits.com and 
>darkrpofits.net. None of my internal clients are making these requests.

>My Sniffer shows me that the requests are being made from outside my 
>network and that my DNS server is making a request for this domain to 
>external hosts. Does anyone know where this may be coming from and how 
>to stop it?




More information about the Snort-users mailing list