[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] lame server
- Subject: Re: [cobalt-users] lame server
- From: Diana Brake <diana@xxxxxxxxxxxxx>
- Date: Thu Feb 1 21:15:04 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
At 01:00 AM 1/31/01, Flash22 wrote:
On Tue, 30 Jan 2001, Rick Ewart wrote:
> I personally think its an attack on the server, of some sort, as I get
> Jan 30 12:40:32 www named[916]: Lame server on '19.66.241.207.in-addr.arpa'
> (in '19.66.241.207.in-addr.arpa'?): [192.67.14.16].53 't.ns.verio.net'
I'd have been inclined to think you were just seeing an odd coincidence,
but i have one also, 6 minutes later....interesting
The other interesting thing is i have no record in any other log file for
this ip address, so it's not a web hit , seems more like someone asked the
nameserver...
Wonder if there's some nifty hack involving delegating a ptr back to
localhost...
Hi,
I wonder about these things too...but I'm skeptical about this being a hack
attempt. I also got an entry from verio.net similar to yours in my logs. In
the past, I've gotten many "lame server" messages that appeared to be
related to a cobaltlist user and there have been many times I've come close
to asking onlist if there was someone who knew something about some lame
domain, or did they use such-and-such host because it was throwing lame
messages out.
I tend to think the Rudolfo was correct when he said these messages may be
appearing because our servers are doing reverse lookups on mail that it
receives. Wouldn't it make sense then that everyone on the list who has
reverse lookup enabled would get the same message in their logs when a
piece of mail is sent to the list by someone who is using DNS provided by
some of these appearantly third party providers?..and around the same time
makes sense too because our servers will each get a list message within
minutes of everyone else.
From what little I know...*turning red* cause I know very little...but the
lame server messages don't concern me. It's the bad request messages that
"could" mean trouble. On a VERY slim possibility, these machines could have
been hijacked and being used for bad things.
I've often noticed a huge list of these:
} Jun 2 06:21:32 gw-crest named[5504]: bad referral (com !< overstock.com)
} Jun 2 08:22:44 gw-crest named[5504]: bad referral (com !< BIGFOOT.com)
} Jun 4 02:05:59 gw-crest named[5504]: bad referral (FSU.EDU !< SCRI.FSU.edu)
} Jun 4 02:26:23 gw-crest named[5504]: bad referral (121.34.216.in-addr.arpa
} !< 0/25.121.34.216.in-addr.arpa)
} Jun 4 02:26:30 gw-crest named[5504]: bad referral (121.34.216.in-addr.arpa
} !< 0/25.121.34.216.in-addr.arpa)
} Jun 4 02:35:04 gw-crest named[5504]: bad referral (78.199.in-addr.arpa !<
} 177.78.199.in-addr.arpa)
right before a major portscan or long run of login attempts using anonymous
FTP or even as has happened several times recently..login attempts using
the admin ID. (don't mind the old date stamps...*grin..I grabbed the first
log that came up). Individual login attempts by someone using an id that
definitely isn't on the system..(they're guessing) are the ones I watch
for. If I see one of my own users having major troubles, I contact them to
find out what is going on. Usually they admit to forgetting their
password....:). They then tell me they remembered it later or I reset it
for them. Nobody has shell access on my machines but me.
If this doesn't make sense, maybe the security gurus will enlighten us
all...I know I for one could sure use the education..:)
see ya,
Diana
Crest Communications, Inc. diana@xxxxxxxxxxxxx
Beautiful Sunny Florida http://crestcommunications.com/
352-495-9359, 425-732-9785 fax