[ILUG] domain-jacking
Kenn Humborg
kenn at bluetree.ie
Mon Jan 10 18:34:23 GMT 2000
> Howdy, all.
> A couple of rather bizarre lines appeared in my logs today:
> Jan 10 05:53:11 leviathan named[27650]: approved AXFR from
> [209.112.56.46].3680 for "irelands-web.ie"
> Jan 10 05:53:11 leviathan named[27650]: zone transfer (AXFR) of
> "irelands-web.ie" (IN) to [209.112.56.46].3680
>
> From what I gather from the scant information I can find on the web, if
> this is deliberate it's probably a precursor to a cracking attempt
> rather than a heinous plot to nick our domain. In any case, it's not the
> sort of thing I like to see appearing in the logs. So:
> 1. Does anyone know what's happening?
Someone downloaded a copy of your zone.
> 2. Does anyone know how to stop it?
Put access restrictions in /etc/named.boot or /etc/named.conf
(depending on your BIND version)
> 3. What is port 3680?
Just a random port that the remote machine connected from. Doesn't
have any significance.
> 209.112.56.46 is compuoffice.com ; I imagine they're innocent bystanders
> in all this.
Or maybe they are collecting stats. Heanet and Netcraft (I think)
trawl the DNS every month or so to collect stats on Internet growth.
Or maybe they are a coven of evil crackers just waiting to pounce on
irelands-web.ie and turn it into irelands-den-of-pron-and-iniquity.ie.
Put access restrictions on your zones, limiting access to only your
secondaries and sleep easy.
Later,
Kenn
More information about the ILUG
mailing list