Hi Giobbi and Mark,

60.32.80.164 is sending continuous SSH requests to one of the NICs on
my machine. And this NIC is asking the local DNS, running on the
localhost, about forward and reverse lookups for incoming SSH
requests.

I thought of writing an iptable rule to restrict this above IP from
talking to my SSH port. I absent mindedly locked myself out of the
machine

Mark: It seems the above machine is also a Linux machine as its source
port was also getting repeated several times in successive incoming
packets.

Giobbi: Why is "versions 2" option under "logging" section stopping
the logs being written to the log file?

kind regards,
Vishwas.

On 7/3/07, Mark Andrews wrote:
>
> > Hi All,
> > My BIND log is full of following entries.
> >
> > 03-Jul-2007 20:10:48.352 queries: info: client 127.0.0.1#38736: query:
> > t-syr.com IN A +
> > 03-Jul-2007 20:10:51.760 queries: info: client 127.0.0.1#38736: query:
> > 164.80.32.60.in-addr.arpa IN PTR +
> > 03-Jul-2007 20:10:51.761 queries: info: client 127.0.0.1#38736: query:
> > t-syr.com IN A +
> > 03-Jul-2007 20:10:52.041 queries: info: client 127.0.0.1#38736: query:
> > 164.80.32.60.in-addr.arpa IN PTR +
> > 03-Jul-2007 20:10:52.042 queries: info: client 127.0.0.1#38736: query:
> > t-syr.com IN A +
> > 03-Jul-2007 20:10:55.239 queries: info: client 127.0.0.1#38736: query:
> > 164.80.32.60.in-addr.arpa IN PTR +
> > 03-Jul-2007 20:10:55.241 queries: info: client 127.0.0.1#38736: query:
> > t-syr.com IN A +
> > 03-Jul-2007 20:10:55.247 queries: info: client 127.0.0.1#38736: query:
> > 164.80.32.60.in-addr.arpa IN PTR +
> > 03-Jul-2007 20:10:55.249 queries: info: client 127.0.0.1#38736: query:
> > t-syr.com IN A +
> > 03-Jul-2007 20:10:58.620 queries: info: client 127.0.0.1#38736: query:
> > 164.80.32.60.in-addr.arpa IN PTR +
> > 03-Jul-2007 20:10:58.621 queries: info: client 127.0.0.1#38737: query:
> > 164.80.32.60.in-addr.arpa IN PTR +
> > 03-Jul-2007 20:10:58.622 queries: info: client 127.0.0.1#38738: query:
> > t-syr.com IN A +
> > 03-Jul-2007 20:10:58.624 queries: info: client 127.0.0.1#38739: query:
> > t-syr.com IN A +
> >
> >
> > The port numbers 387** are opened by user "bind".
> > This is giving me a feeling that may be my machine is compromised!?
> > Why should BIND daemon continuously ask for t-syr.com ?? Probably
> > these DNS query packets are spoofed packets. Any comments?

>
> I suggest that you show how you worked that out.
>
> What I am see is local clients doing a reverse lookups on
> 60.32.80.164 then validating the response. The above port
> pattern is typical of a Linux kernel that keep reissuing
> the same port as long as it is free when the next socket
> is opened. This is really bad behaviour on the part of
> the kernel.
>
> > --
> > Best Regards,
> > Vishwas.
> > ivishwas.googlepages.com
> >
> > I know quite certainly that I myself have no special talent;
> > curiosity, obsession and dogged endurance, combined with
> > self-criticism have brought me to my ideas. - Albert Einstein
> >
> >

> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
>



--
Best Regards,
Vishwas.
ivishwas.googlepages.com

I know quite certainly that I myself have no special talent;
curiosity, obsession and dogged endurance, combined with
self-criticism have brought me to my ideas. - Albert Einstein