In message <[log in to unmask]>you write:
>Last night someone in the UK did a zone transfer to fetch our name
>server data. This is not a normal name server operation unless the
>fetching system is one of your secondaries, and unless U of T has
>made new arrangements, this system isn't; it is, however, sometimes
>a sign of a bad guy trying to gather data to aid in an attack.
Yes, you're probably right. Perhaps the admins of that machine should be
notified?
>Has anyone else seen any unexpected zone transfers lately?
>
>The offending transfers happened at 2242 for hprc.toronto.edu and
>2305 for utirc.toronto.edu, and came from 194.72.238.4, which is
>ns0.netcraft.co.uk.
CDF's came at 2231. It's the only recorded suspicious zone transfer in
our logs since Jul 2.
>(No probes for utoronto.ca. Can we start a new pointless argument
>that claims that toronto.edu isn't as safe because more bad guys
>probe it?)
Ha! Good one. :-)
Regards,
John
--
John DiMarco <[log in to unmask]> Office: EA201B
Computing Disciplines Facility Systems Manager Phone: 416-978-1928
University of Toronto Fax: 416-978-1931
http://www.cdf.toronto.edu/~jdd
|