In message <[log in to unmask]>you write: >Last night someone in the UK did a zone transfer to fetch our name >server data. This is not a normal name server operation unless the >fetching system is one of your secondaries, and unless U of T has >made new arrangements, this system isn't; it is, however, sometimes >a sign of a bad guy trying to gather data to aid in an attack. Yes, you're probably right. Perhaps the admins of that machine should be notified? >Has anyone else seen any unexpected zone transfers lately? > >The offending transfers happened at 2242 for hprc.toronto.edu and >2305 for utirc.toronto.edu, and came from 194.72.238.4, which is >ns0.netcraft.co.uk. CDF's came at 2231. It's the only recorded suspicious zone transfer in our logs since Jul 2. >(No probes for utoronto.ca. Can we start a new pointless argument >that claims that toronto.edu isn't as safe because more bad guys >probe it?) Ha! Good one. :-) Regards, John -- John DiMarco <[log in to unmask]> Office: EA201B Computing Disciplines Facility Systems Manager Phone: 416-978-1928 University of Toronto Fax: 416-978-1931 http://www.cdf.toronto.edu/~jdd