[ale] DNS hacker, help
marek at foundmoney.com
marek at foundmoney.com
Wed Aug 2 11:16:29 EDT 2000
This is what I found in my dns debug. scenewhores.com does not belong to
us nor do we have anything to do with them or this kind of industry.
>From what I can tell they tried to use our dns server to service this
domain name ?
datagram from [210.113.231.145].1668, fd 22, len 35
req: nlookup(v.scenewhores.com) id 53786 type=1 class=1
req: found 'v.scenewhores.com' as 'com' (cname=0)
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197248.000000000, inter 0.000000000)
forw: forw -> [198.41.0.4].53 ds=5 nsid=15407 id=53786 79ms retry 4sec
datagram from [198.41.0.4].53, fd 5, len 130
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15407
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; v.scenewhores.com, type = A, class = IN
SCENEWHORES.COM. 2D IN NS NS1.SUIDREWT.ORG.
SCENEWHORES.COM. 2D IN NS NS2.SUIDREWT.ORG.
NS1.SUIDREWT.ORG. 2D IN A 195.13.119.253
NS2.SUIDREWT.ORG. 2D IN A 195.13.119.254
resp: nlookup(v.scenewhores.com) qtype=1
resp: found 'v.scenewhores.com' as 'scenewhores.com' (cname=0)
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197248.000000000, inter 0.000000000)
sysquery: send -> [198.41.0.4].53 dfd=5 nsid=2176 id=0 retry=965197248
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197248.000000000, inter 0.000000000)
sysquery: send -> [198.41.0.4].53 dfd=5 nsid=25109 id=0 retry=965197248
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197248.000000000, inter 0.000000000)
datagram from [198.41.0.4].53, fd 5, len 180
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197248.000000000, inter 0.000000000)
datagram from [198.41.0.4].53, fd 5, len 180
datagram from [210.113.231.145].1668, fd 22, len 35
req: nlookup(v.scenewhores.com) id 53786 type=1 class=1
req: found 'v.scenewhores.com' as 'scenewhores.com' (cname=0)
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197253.000000000, inter 0.000000000)
forw: forw -> [195.13.119.253].53 ds=5 nsid=43213 id=53786 3ms retry
4sec
evSelectFD(ctx 0x80d2740, fd 7, mask 0x1, func 0x8086e98, uap
0x4013004c)
IP/TCP connection from [216.208.41.78].4355 (fd 7)
datagram from [195.13.119.253].53, fd 5, len 84
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43213
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; v.scenewhores.com, type = A, class = IN
v.scenewhores.com. 1W IN NS doh.scenewhores.com.
doh.scenewhores.com. 1W IN A 216.224.8.100
resp: nlookup(v.scenewhores.com) qtype=1
resp: found 'v.scenewhores.com' as 'v.scenewhores.com' (cname=0)
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197254.000000000, inter 0.000000000)
resp: forw -> [216.224.8.100].53 ds=5 nsid=28566 id=53786 19ms
evSelectFD(ctx 0x80d2740, fd 8, mask 0x1, func 0x8086e98, uap
0x40130008)
IP/TCP connection from [216.224.8.100].1466 (fd 8)
evDeselectFD(fd 8, mask 0x1)
evSelectFD(ctx 0x80d2740, fd 8, mask 0x1, func 0x8086e98, uap
0x40130090)
evDeselectFD(fd 8, mask 0x1)
update type 30: 6507 bytes is too much data
And this is when the DNS server went down.
Marek
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list