what is this weird unapproved update ? hack attempt or stupid w2k ? please help...

Kevin Darcy kcd at daimlerchrysler.com
Thu Jul 13 22:16:14 UTC 2000 

It's almost certainly a W2K box -- the 5/10/60 minute timing is
characteristically W2Kish. Whether it's an internal or an external W2K box,
is not 100% certain, but circumstantial evidence would probably point at your
internal box. If your Linux box were correctly configured, it would reject
any 10.0.0.x source-addressed packets on its external interface, wouldn't it?


- Kevin

Amir wrote:

> Hey all , i've been getting these weird update requests on my bind 8.2.2
> running
> under rh6.2 ... my linux is a multihomed (10.0.0.x is MASQ'ed through my
> linux)
> now my 10.0.0.1 is a windows 2000 advanced server , and 10.0.0.2 is the
> linux MASQer with bind
> serving all the local hosts... can this be a spoofed update request coming
> from the internet ?
> kyrandia is my local domain btw.. just something i wrote off the top of my
> mind.. it's not
> registered anywhere...
> thanks..
> Amir
>
> Jul 13 21:53:35 server named[592]: unapproved update from [10.0.0.1].4632
> for kyrandia
> Jul 13 21:53:35 server named[592]: unapproved update from [10.0.0.1].4637
> for 0.0.10.in-addr.arpa
> Jul 13 22:53:35 server named[592]: unapproved update from [10.0.0.1].4645
> for kyrandia
> Jul 13 22:53:35 server named[592]: unapproved update from [10.0.0.1].4650
> for 0.0.10.in-addr.arpa
> Jul 13 22:58:35 server named[592]: unapproved update from [10.0.0.1].4657
> for kyrandia
> Jul 13 22:58:35 server named[592]: unapproved update from [10.0.0.1].4662
> for 0.0.10.in-addr.arpa
> Jul 13 23:08:35 server named[592]: unapproved update from [10.0.0.1].4668
> for kyrandia
> Jul 13 23:08:35 server named[592]: unapproved update from [10.0.0.1].4673
> for 0.0.10.in-addr.arpa
> Jul 14 00:08:35 server named[592]: unapproved update from [10.0.0.1].4679
> for kyrandia
> Jul 14 00:08:35 server named[592]: unapproved update from [10.0.0.1].4684
> for 0.0.10.in-addr.arpa
> Jul 14 00:13:35 server named[592]: unapproved update from [10.0.0.1].4690
> for kyrandia
> Jul 14 00:13:35 server named[592]: unapproved update from [10.0.0.1].4695
> for 0.0.10.in-addr.arpa
> Jul 14 00:23:35 server named[592]: unapproved update from [10.0.0.1].4705
> for kyrandia
> Jul 14 00:23:35 server named[592]: unapproved update from [10.0.0.1].4710
> for 0.0.10.in-addr.arpa

More information about the bind-users mailing list