[ale] DNS hacker, help

marek at foundmoney.com marek at foundmoney.com
Wed Aug 2 11:16:29 EDT 2000 

This is what I found in my dns debug. scenewhores.com does not belong to
us nor do we have anything to do with them or this kind of industry.
>From what I can tell they tried to use our dns server to service this
domain name ?


datagram from [210.113.231.145].1668, fd 22, len 35
req: nlookup(v.scenewhores.com) id 53786 type=1 class=1
req: found 'v.scenewhores.com' as 'com' (cname=0)
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197248.000000000, inter 0.000000000)
forw: forw -> [198.41.0.4].53 ds=5 nsid=15407 id=53786 79ms retry 4sec
datagram from [198.41.0.4].53, fd 5, len 130
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15407
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;;      v.scenewhores.com, type = A, class = IN
SCENEWHORES.COM.        2D IN NS        NS1.SUIDREWT.ORG.
SCENEWHORES.COM.        2D IN NS        NS2.SUIDREWT.ORG.
NS1.SUIDREWT.ORG.       2D IN A         195.13.119.253
NS2.SUIDREWT.ORG.       2D IN A         195.13.119.254
resp: nlookup(v.scenewhores.com) qtype=1
resp: found 'v.scenewhores.com' as 'scenewhores.com' (cname=0)
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197248.000000000, inter 0.000000000)
sysquery: send -> [198.41.0.4].53 dfd=5 nsid=2176 id=0 retry=965197248
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197248.000000000, inter 0.000000000)
sysquery: send -> [198.41.0.4].53 dfd=5 nsid=25109 id=0 retry=965197248
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197248.000000000, inter 0.000000000)
datagram from [198.41.0.4].53, fd 5, len 180
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197248.000000000, inter 0.000000000)
datagram from [198.41.0.4].53, fd 5, len 180
datagram from [210.113.231.145].1668, fd 22, len 35
req: nlookup(v.scenewhores.com) id 53786 type=1 class=1
req: found 'v.scenewhores.com' as 'scenewhores.com' (cname=0)
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197253.000000000, inter 0.000000000)
forw: forw -> [195.13.119.253].53 ds=5 nsid=43213 id=53786 3ms retry
4sec
evSelectFD(ctx 0x80d2740, fd 7, mask 0x1, func 0x8086e98, uap
0x4013004c)
IP/TCP connection from [216.208.41.78].4355 (fd 7)
datagram from [195.13.119.253].53, fd 5, len 84
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43213
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;;      v.scenewhores.com, type = A, class = IN
v.scenewhores.com.      1W IN NS        doh.scenewhores.com.
doh.scenewhores.com.    1W IN A         216.224.8.100
resp: nlookup(v.scenewhores.com) qtype=1
resp: found 'v.scenewhores.com' as 'v.scenewhores.com' (cname=0)
evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
965197254.000000000, inter 0.000000000)
resp: forw -> [216.224.8.100].53 ds=5 nsid=28566 id=53786 19ms
evSelectFD(ctx 0x80d2740, fd 8, mask 0x1, func 0x8086e98, uap
0x40130008)
IP/TCP connection from [216.224.8.100].1466 (fd 8)
evDeselectFD(fd 8, mask 0x1)
evSelectFD(ctx 0x80d2740, fd 8, mask 0x1, func 0x8086e98, uap
0x40130090)
evDeselectFD(fd 8, mask 0x1)
update type 30: 6507 bytes is too much data

And this is when the DNS server went down.

Marek

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list