Click to See Complete Forum and Search --> : DNS scans from places - someone else have this happening?
Fandelem
12-09-2000, 03:16 AM
logs:
Dec 8 21:37:09 UDP: dgram to port 1223 from sca03.auth.dns.exodus.net (209.185.253.230):53 (72 data
bytes)
Dec 8 22:07:17 UDP: dgram to port 1223 from sca04.auth.dns.exodus.net (216.32.104.10):53 (72 data b
ytes)
Dec 8 23:45:55 last message repeated 1 times
it goes on every couple hours.
exodus is *not* my isp - fdt.net is - and i've checked they are in no way in association with each other..
so, does this mean it's being blocked, or just logged? (this is snippets from iplog) I'm assuming just logged, which scares me even more - what are they actually doing?
my ipchains rules read:
$IPCHAINS -A input -p udp -s 209.212.128.33 53 -d $OUTERIP 1024:65535 -j ACCEPT
$IPCHAINS -A input -p tcp -s 209.212.128.33 53 -d $OUTERIP 1024:65535 -j ACCEPT
$IPCHAINS -A input -p udp -s 209.212.128.32 53 -d $OUTERIP 1024:65535 -j ACCEPT
$IPCHAINS -A input -p tcp -s 209.212.128.32 53 -d $OUTERIP 1024:65535 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 53 -j DENY -l
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 53 -j DENY -l
i would think this would block it, but i guess not? hrmm
any help or insights would be great-
thanks,
~kyle
Fandelem
12-09-2000, 05:56 AM
$IPCHAINS -A input -p udp -i $OUTERIF -s $REMOTENET 1024:65535 -d $OUTERNET 53 -j DENY -l
$IPCHAINS -A input -p tcp -i $OUTERIF -s $REMOTENET 1024:65535 -d $OUTERNET 53 -j DENY -l
seems to do the trick (adding the 1024:65535)
Dec 9 05:29:23 server kernel: Packet log: input DENY ppp0 PROTO=17 209.185.253.230:53 209.212.133.7
0:1223 L=100 S=0x00 I=41737 F=0x4000 T=242 (#67)
this now shows up in my logfile, which is exodus :}
everything works now too, hrm, so weird of them to be sending me requests every hour or so.
Jeepsta
12-09-2000, 05:16 PM
Hmmm....that seems weird. I get the same thing but it is my ISP doing it. Are they doing this for a reason or what??
------------------
Its a jeep thing... You wouldn't understand.
Fandelem
12-09-2000, 05:37 PM
they won't be doing it anymore http://www.linuxnewbie.org/ubb/biggrin.gif
Lorithar
12-18-2000, 03:52 PM
*grins*
Go check out ORBS website to find out about Exodus.net.
And ... if they been scanning you .. check your mail logs... and tighten em up ....NOW...
Fandelem
12-19-2000, 06:42 AM
okay, now i'm kinda freaked.
i went to my /tmp directory, and here's what was there:
[root@Server /tmp]# ls
total 4
drwx------ 2 root root 4096 Dec 10 04:17 orbit-root
[root@Server /tmp]#
[root@Server /tmp]# cd orbit-root/
[root@Server orbit-root]# ls
total 4
-rw------- 1 root root 63 Dec 10 04:17 cookie
srwxrwxr-x 1 root root 0 Dec 10 04:17 orb-14147654021369241801
srwxrwxr-x 1 root root 0 Dec 10 04:17 orb-21094623101828372576
[root@Server orbit-root]#
what the hell is this? :}
btw, on another note - I don't really have access to the actual console login to check root's mail - how can I do it from telneting in?
thanks,
~kyle
Fandelem
12-19-2000, 05:28 PM
ooh, fun.
Dec 18 07:47:25 UDP: dgram to port 1223 from a.root-servers.net (198.41.0.4):53 (129 data bytes)
Dec 18 08:20:23 UDP: dgram to port 1223 from G.ROOT-SERVERS.NET (192.112.36.4):53 (123 data bytes)
Dec 18 08:20:27 UDP: dgram to port 1223 from i.root-servers.net (192.36.148.17):53 (123 data bytes)
Dec 18 08:20:31 UDP: dgram to port 1223 from l.root-servers.net (198.32.64.12):53 (350 data bytes)
Dec 18 08:20:35 UDP: dgram to port 1223 from f.root-servers.net (192.5.5.241):53 (103 data bytes)
Dec 18 08:20:43 UDP: dgram to port 1223 from m.root-servers.net (202.12.27.33):53 (350 data bytes)
Dec 18 08:20:49 UDP: dgram to port 1223 from E.ROOT-SERVERS.NET (192.203.230.10):53 (103 data bytes)
Dec 18 08:20:51 UDP: dgram to port 1223 from a.root-servers.net (198.41.0.4):53 (123 data bytes)
Dec 18 08:20:55 UDP: dgram to port 1223 from k.root-servers.net (193.0.14.129):53 (350 data bytes)
Dec 18 08:20:59 UDP: dgram to port 1223 from h.root-servers.net (128.63.2.53):53 (123 data bytes)
Dec 18 08:21:07 UDP: dgram to port 1223 from b.root-servers.net (128.9.0.107):53 (123 data bytes)
Dec 18 08:21:09 UDP: dgram to port 1223 from d.root-servers.net (128.8.10.90):53 (123 data bytes)
Dec 18 08:21:11 UDP: dgram to port 1223 from j.root-servers.net (198.41.0.10):53 (350 data bytes)
Dec 18 08:21:31 UDP: dgram to port 1223 from G.ROOT-SERVERS.NET (192.112.36.4):53 (123 data bytes)
Dec 18 08:21:39 UDP: dgram to port 1223 from i.root-servers.net (192.36.148.17):53 (123 data bytes)
Dec 19 08:25:30 UDP: dgram to port 1223 from a.gtld-servers.net (198.41.3.38):53 (129 data bytes)
Dec 19 08:25:34 UDP: dgram to port 1223 from c.gtld-servers.net (205.188.185.18):53 (129 data bytes)
Dec 19 08:25:38 UDP: dgram to port 1223 from b.gtld-servers.net (203.181.106.5):53 (129 data bytes)
Dec 19 08:25:42 UDP: dgram to port 1223 from e.gtld-servers.net (207.200.81.69):53 (129 data bytes)
Dec 19 08:25:46 UDP: dgram to port 1223 from j.gtld-servers.net (210.132.100.101):53 (129 data bytes
)
Dec 19 08:25:49 UDP: dgram to port 1223 from d.gtld-servers.net (208.206.240.5):53 (129 data bytes)
Dec 19 08:25:59 UDP: dgram to port 1223 from g.gtld-servers.net (198.41.3.101):53 (129 data bytes)
Dec 19 08:26:03 UDP: dgram to port 1223 from f.gtld-servers.net (198.17.208.67):53 (129 data bytes)
Dec 19 08:26:04 UDP: dgram to port 1223 from k.gtld-servers.net (213.177.194.5):53 (129 data bytes)
Dec 19 08:26:06 UDP: dgram to port 1223 from m.gtld-servers.net (202.153.114.101):53 (129 data bytes
)
Dec 19 08:26:09 UDP: dgram to port 1223 from i.gtld-servers.net (192.36.144.133):53 (129 data bytes)
*boggle* they are attempting on port 1223 from source of 53..
[This message has been edited by Fandelem (edited 19 December 2000).]