Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is this a microsoft exploit scan of my DNS? 1

Status
Not open for further replies.
squest

squest

Technical User
Apr 2, 2011
4
0
0
US
I am seeing an incredible number of bogus tertiary domain queries on my master and slave nameservers, but exclusively just for one specific domain, for which I have the SOA. These queries come from commercial ISP nameservers as well as they appear to also be coming from residential DSL and cable modem IP assignments. Granted, they aren't really hurting anything by making these bogus queries, but I'm just exceedingly curious as to what this is all about, is there some new microsoft exploit being probed that nobody is as yet aware of? Googling for the answer gave me no results. Take a look at this and tell me what you guys think (sorted by IP and filtered to show only one unique query per IP involved, but I assure you, they make these same queries over and over non-stop, going on now for weeks).

Code: 
216.195.0.140   VHS18.MYDOMAIN.COM
216.195.0.140   _ldap._tcp.dc._msdcs.MYDOMAIN.COM
216.195.0.140   _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
216.195.0.161   VHS18.MYDOMAIN.COM
216.195.0.161   _kerberos._tcp.dc._msdcs.MYDOMAIN.COM
216.195.0.161   _ldap._tcp.dc._msdcs.MYDOMAIN.COM
216.195.0.161   _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
216.195.0.161   _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
216.195.0.161   data.MYDOMAIN.COM
216.195.0.161   wpad.MYDOMAIN.COM
216.195.0.163   VHS18.MYDOMAIN.COM
216.195.0.163   _ldap._tcp.dc._msdcs.MYDOMAIN.COM
216.195.0.163   _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
216.195.0.165   VHS18.MYDOMAIN.COM
216.195.0.165   _kerberos._tcp.dc._msdcs.MYDOMAIN.COM
216.195.0.165   _ldap._tcp.dc._msdcs.MYDOMAIN.COM
216.195.0.165   _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
216.195.0.165   _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
216.195.0.165   data.MYDOMAIN.COM
216.195.0.165   ghm.static.zmh.zope.net.MYDOMAIN.COM
216.195.0.165   wpad.MYDOMAIN.COM
216.195.12.119  VHS18.MYDOMAIN.COM
216.195.12.119  _ldap._tcp.dc._msdcs.MYDOMAIN.COM
216.195.12.119  _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
216.195.12.119  _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
216.195.12.119  data.MYDOMAIN.COM
216.195.12.119  wpad.MYDOMAIN.COM
24.159.64.15    MY2003.MYDOMAIN.COM
24.159.64.15    STAFF02.MYDOMAIN.COM
24.159.64.15    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
24.159.64.15    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
24.159.64.15    staff02.MYDOMAIN.COM
24.159.64.16    MY2003.MYDOMAIN.COM
24.159.64.17    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
24.159.64.17    _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
24.159.64.19    MY2003.MYDOMAIN.COM
24.159.64.19    STAFF02.MYDOMAIN.COM
24.159.64.19    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
24.159.64.19    _ldap._tcp.Default-First-Site-Name._sites.STAFF01.MYDOMAIN.COM
24.159.64.20    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
24.159.64.20    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
24.159.64.20    isatap.MYDOMAIN.COM
24.159.64.21    MY2003.MYDOMAIN.COM
24.159.64.21    SPEDLAP13.MYDOMAIN.COM
24.159.64.21    STAFF02.MYDOMAIN.COM
24.159.64.21    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
24.159.64.21    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
24.159.64.21    _ldap._tcp.pdc._msdcs.STUDENT.MYDOMAIN.COM
24.159.64.21    isatap.MYDOMAIN.COM
24.159.64.22    BRW_C63BFE.MYDOMAIN.COM
24.159.64.22    MY2003.MYDOMAIN.COM
24.159.64.22    VHS21.STUDENT.MYDOMAIN.COM
24.159.64.22    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
24.159.64.22    isatap.MYDOMAIN.COM
24.159.64.22    wpad.STUDENT.MYDOMAIN.COM
24.247.24.39    SPEDLAP13.MYDOMAIN.COM
24.247.24.39    STAFF02.MYDOMAIN.COM
24.247.24.39    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
24.247.24.39    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
24.247.24.39    isatap.MYDOMAIN.COM
24.247.24.41    BRW_C63BFE.MYDOMAIN.COM
24.247.24.41    MY2003.MYDOMAIN.COM
24.247.24.41    STAFF02.MYDOMAIN.COM
24.247.24.41    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
24.247.24.41    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
24.247.24.41    isatap.MYDOMAIN.COM
24.247.24.55    BRW_C63BFE.MYDOMAIN.COM
24.247.24.55    MY2003.MYDOMAIN.COM
24.247.24.55    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
24.247.24.61    STAFF02.MYDOMAIN.COM
24.247.24.61    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
24.247.24.61    _ldap._tcp.Default-First-Site-Name._sites.STAFF01.MYDOMAIN.COM
24.247.24.61    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
66.189.0.101    BRW_C63BFE.MYDOMAIN.COM
66.189.0.101    MY2003.MYDOMAIN.COM
66.189.0.101    SPEDLAP13.MYDOMAIN.COM
66.189.0.101    STAFF01.MYDOMAIN.COM
66.189.0.101    STAFF02.MYDOMAIN.COM
66.189.0.101    VHS27.STUDENT.MYDOMAIN.COM
66.189.0.101    _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
66.189.0.101    _kerberos._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
66.189.0.101    _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
66.189.0.101    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
66.189.0.101    _ldap._tcp.Default-First-Site-Name._sites.STAFF01.MYDOMAIN.COM
66.189.0.101    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
66.189.0.101    _ldap._tcp.MYDOMAIN.COM
66.189.0.101    _ldap._tcp.STAFF01.MYDOMAIN.COM
66.189.0.101    _ldap._tcp.dc._msdcs.MYDOMAIN.COM
66.189.0.101    _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
66.189.0.101    _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
66.189.0.101    _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
66.189.0.101    isatap.MYDOMAIN.COM
66.189.0.101    technas.MYDOMAIN.COM
66.189.0.101    wpad.MYDOMAIN.COM
66.189.0.102    BRW_C63BFE.MYDOMAIN.COM
66.189.0.102    MY2003.MYDOMAIN.COM
66.189.0.102    SPEDLAP13.MYDOMAIN.COM
66.189.0.102    STAFF01.MYDOMAIN.COM
66.189.0.102    STAFF02.MYDOMAIN.COM
66.189.0.102    VHS21.STUDENT.MYDOMAIN.COM
66.189.0.102    VHS27.STUDENT.MYDOMAIN.COM
66.189.0.102    _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
66.189.0.102    _kerberos._tcp.dc._msdcs.MYDOMAIN.COM
66.189.0.102    _kerberos._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
66.189.0.102    _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
66.189.0.102    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
66.189.0.102    _ldap._tcp.Default-First-Site-Name._sites.STAFF01.MYDOMAIN.COM
66.189.0.102    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
66.189.0.102    _ldap._tcp.MYDOMAIN.COM
66.189.0.102    _ldap._tcp.STAFF01.MYDOMAIN.COM
66.189.0.102    _ldap._tcp.dc._msdcs.MYDOMAIN.COM
66.189.0.102    _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
66.189.0.102    _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
66.189.0.102    _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
66.189.0.102    isatap.MYDOMAIN.COM
66.189.0.102    staff02.MYDOMAIN.COM
66.189.0.102    std2.MYDOMAIN.COM
66.189.0.102    wpad.MYDOMAIN.COM
66.189.0.103    BRW_C63BFE.MYDOMAIN.COM
66.189.0.103    SPEDLAP13.MYDOMAIN.COM
66.189.0.103    STAFF01.MYDOMAIN.COM
66.189.0.103    STAFF02.MYDOMAIN.COM
66.189.0.103    _kerberos._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
66.189.0.103    _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
66.189.0.103    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
66.189.0.103    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
66.189.0.103    _ldap._tcp.MYDOMAIN.COM
66.189.0.103    _ldap._tcp.dc._msdcs.MYDOMAIN.COM
66.189.0.103    _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
66.189.0.103    _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
66.189.0.103    _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
66.189.0.103    isatap.MYDOMAIN.COM
66.189.0.103    staff02.STUDENT.MYDOMAIN.COM
66.189.0.103    std1.STUDENT.MYDOMAIN.COM
66.189.0.103    technas.MYDOMAIN.COM
66.189.0.103    wpad.MYDOMAIN.COM
66.189.0.104    BRW_C63BFE.MYDOMAIN.COM
66.189.0.104    MY2003.MYDOMAIN.COM
66.189.0.104    SPEDLAP13.MYDOMAIN.COM
66.189.0.104    STAFF01.MYDOMAIN.COM
66.189.0.104    STAFF02.MYDOMAIN.COM
66.189.0.104    _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
66.189.0.104    _kerberos._tcp.dc._msdcs.MYDOMAIN.COM
66.189.0.104    _kerberos._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
66.189.0.104    _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
66.189.0.104    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
66.189.0.104    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
66.189.0.104    _ldap._tcp.MYDOMAIN.COM
66.189.0.104    _ldap._tcp.dc._msdcs.MYDOMAIN.COM
66.189.0.104    _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
66.189.0.104    _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
66.189.0.104    _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
66.189.0.104    _ldap._tcp.pdc._msdcs.STUDENT.MYDOMAIN.COM
66.189.0.104    isatap.MYDOMAIN.COM
66.189.0.104    staff02.STUDENT.MYDOMAIN.COM
66.189.0.104    std2.MYDOMAIN.COM
66.189.0.104    technas.MYDOMAIN.COM
66.189.0.105    BRW_C63BFE.MYDOMAIN.COM
66.189.0.105    MY2003.MYDOMAIN.COM
66.189.0.105    STAFF01.MYDOMAIN.COM
66.189.0.105    STAFF02.MYDOMAIN.COM
66.189.0.105    VHS27.STUDENT.MYDOMAIN.COM
66.189.0.105    _kerberos._tcp.dc._msdcs.MYDOMAIN.COM
66.189.0.105    _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
66.189.0.105    _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
66.189.0.105    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
66.189.0.105    _ldap._tcp.MYDOMAIN.COM
66.189.0.105    _ldap._tcp.dc._msdcs.MYDOMAIN.COM
66.189.0.105    _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
66.189.0.105    _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
66.189.0.105    isatap.MYDOMAIN.COM
66.189.0.105    staff02.MYDOMAIN.COM
66.189.0.105    staff02.STUDENT.MYDOMAIN.COM
66.189.0.105    std1.MYDOMAIN.COM
66.189.0.105    std1.STUDENT.MYDOMAIN.COM
66.189.0.105    std2.MYDOMAIN.COM
66.189.0.105    technas.MYDOMAIN.COM
66.189.0.105    wpad.MYDOMAIN.COM
68.237.161.36   _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
68.237.161.36   _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
68.237.161.36   _ldap._tcp.pdc._msdcs.STUDENT.MYDOMAIN.COM
68.237.161.36   isatap.MYDOMAIN.COM
68.237.161.36   pltwlap10.STUDENT.MYDOMAIN.COM
68.237.161.37   %5e%5estore_domain%5e%5e.STUDENT.MYDOMAIN.COM
68.237.161.37   _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
68.237.161.37   _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
68.237.161.37   isatap.MYDOMAIN.COM
68.237.161.37   pltwlap10.STUDENT.MYDOMAIN.COM
68.237.161.38   %5e%5estore_domain%5e%5e.MYDOMAIN.COM
68.237.161.38   _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
68.237.161.38   _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
68.237.161.38   isatap.MYDOMAIN.COM
68.237.161.38   pltwlap10.STUDENT.MYDOMAIN.COM
68.237.161.39   _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
68.237.161.39   _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
68.237.161.39   _ldap._tcp.pdc._msdcs.STUDENT.MYDOMAIN.COM
68.237.161.40   _kerberos._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
68.237.161.40   _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
68.237.161.40   _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
68.237.161.40   isatap.MYDOMAIN.COM
68.237.161.40   pltwlap10.STUDENT.MYDOMAIN.COM
68.87.71.227    STAFF02.MYDOMAIN.COM
68.87.71.228    STAFF02.MYDOMAIN.COM
68.87.71.232    STAFF02.MYDOMAIN.COM
68.87.71.232    isatap.MYDOMAIN.COM
68.87.71.232    wpad.MYDOMAIN.COM
71.243.0.36     %5e%5estore_domain%5e%5e.MYDOMAIN.COM
71.243.0.36     Grant1.MYDOMAIN.COM
71.243.0.36     OWNER-PC.MYDOMAIN.COM
71.243.0.36     SPEDLT11.MYDOMAIN.COM
71.243.0.36     STAFF02.MYDOMAIN.COM
71.243.0.36     _kerberos._tcp.dc._msdcs.MYDOMAIN.COM
71.243.0.36     _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
71.243.0.36     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
71.243.0.36     _ldap._tcp.MYDOMAIN.COM
71.243.0.36     _ldap._tcp.dc._msdcs.MYDOMAIN.COM
71.243.0.36     _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
71.243.0.36     _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
71.243.0.36     _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
71.243.0.36     facebook.MYDOMAIN.COM
71.243.0.36     isatap.MYDOMAIN.COM
71.243.0.36     staffgpo.MYDOMAIN.COM
71.243.0.36     technas.MYDOMAIN.COM
71.243.0.36     wpad.MYDOMAIN.COM
71.243.0.37     Grant1.MYDOMAIN.COM
71.243.0.37     Grant6.MYDOMAIN.COM
71.243.0.37     SPEDLT11.MYDOMAIN.COM
71.243.0.37     _kerberos._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
71.243.0.37     _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
71.243.0.37     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
71.243.0.37     _ldap._tcp.MYDOMAIN.COM
71.243.0.37     _ldap._tcp.dc._msdcs.MYDOMAIN.COM
71.243.0.37     _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
71.243.0.37     _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
71.243.0.37     _ldap._tcp.pdc._msdcs.STUDENT.MYDOMAIN.COM
71.243.0.37     isatap.MYDOMAIN.COM
71.243.0.37     mms.MYDOMAIN.COM
71.243.0.37     pltwlap10.STUDENT.MYDOMAIN.COM
71.243.0.37     staffgpo.MYDOMAIN.COM
71.243.0.37     wpad.MYDOMAIN.COM
71.243.0.38     %5e%5estore_domain%5e%5e.STUDENT.MYDOMAIN.COM
71.243.0.38     Grant1.MYDOMAIN.COM
71.243.0.38     Grant6.MYDOMAIN.COM
71.243.0.38     OWNER-PC.MYDOMAIN.COM
71.243.0.38     SPEDLT11.MYDOMAIN.COM
71.243.0.38     STAFF02.MYDOMAIN.COM
71.243.0.38     _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
71.243.0.38     _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
71.243.0.38     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
71.243.0.38     _ldap._tcp.MYDOMAIN.COM
71.243.0.38     _ldap._tcp.dc._msdcs.MYDOMAIN.COM
71.243.0.38     _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
71.243.0.38     _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
71.243.0.38     _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
71.243.0.38     _ldap._tcp.pdc._msdcs.STUDENT.MYDOMAIN.COM
71.243.0.38     isatap.MYDOMAIN.COM
71.243.0.38     pltwlap10.STUDENT.MYDOMAIN.COM
71.243.0.38     staffgpo.MYDOMAIN.COM
71.243.0.38     wpad.MYDOMAIN.COM
71.243.0.39     Grant1.MYDOMAIN.COM
71.243.0.39     MYdata.MYDOMAIN.COM
71.243.0.39     OWNER-PC.MYDOMAIN.COM
71.243.0.39     SPEDLT11.MYDOMAIN.COM
71.243.0.39     _kerberos._tcp.dc._msdcs.MYDOMAIN.COM
71.243.0.39     _kerberos._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
71.243.0.39     _ldap._tcp.33c5e987-35cd-49b4-a8f8-73c47f609a58.domains._msdcs.MYDOMAIN.COM
71.243.0.39     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
71.243.0.39     _ldap._tcp.MYDOMAIN.COM
71.243.0.39     _ldap._tcp.dc._msdcs.MYDOMAIN.COM
71.243.0.39     _ldap._tcp.dc._msdcs.STUDENT.MYDOMAIN.COM
71.243.0.39     _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
71.243.0.39     _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
71.243.0.39     isatap.MYDOMAIN.COM
71.243.0.39     mms.STUDENT.MYDOMAIN.COM
71.243.0.39     pltwlap10.STUDENT.MYDOMAIN.COM
71.243.0.39     staffgpo.MYDOMAIN.COM
71.243.0.39     wpad.MYDOMAIN.COM
71.250.0.36     Grant1.MYDOMAIN.COM
71.250.0.36     Grant6.MYDOMAIN.COM
71.250.0.36     OWNER-PC.MYDOMAIN.COM
71.250.0.36     SPEDLT11.MYDOMAIN.COM
71.250.0.36     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
71.250.0.36     _ldap._tcp.MYDOMAIN.COM
71.250.0.36     _ldap._tcp.dc._msdcs.MYDOMAIN.COM
71.250.0.36     _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
71.250.0.36     _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
71.250.0.36     isatap.MYDOMAIN.COM
71.250.0.36     staffgpo.MYDOMAIN.COM
71.250.0.36     wpad.MYDOMAIN.COM
71.250.0.37     Grant1.MYDOMAIN.COM
71.250.0.37     SPEDLT11.MYDOMAIN.COM
71.250.0.37     _kerberos._tcp.dc._msdcs.MYDOMAIN.COM
71.250.0.37     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
71.250.0.37     _ldap._tcp.MYDOMAIN.COM
71.250.0.37     _ldap._tcp.dc._msdcs.MYDOMAIN.COM
71.250.0.37     _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
71.250.0.37     _ldap._tcp.pdc._msdcs.MYDOMAIN.COM
71.250.0.37     facebook.MYDOMAIN.COM
71.250.0.37     isatap.MYDOMAIN.COM
71.250.0.37     staffgpo.MYDOMAIN.COM
71.250.0.37     technas.MYDOMAIN.COM
71.250.0.37     wpad.MYDOMAIN.COM
71.250.0.38     Grant1.MYDOMAIN.COM
71.250.0.38     OWNER-PC.MYDOMAIN.COM
71.250.0.38     SPEDLT11.MYDOMAIN.COM
71.250.0.38     STAFF02.MYDOMAIN.COM
71.250.0.38     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MYDOMAIN.COM
71.250.0.38     _ldap._tcp.dc._msdcs.MYDOMAIN.COM
71.250.0.38     _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
71.250.0.38     staffgpo.MYDOMAIN.COM
71.250.0.38     wpad.MYDOMAIN.COM
71.250.0.39     Grant1.MYDOMAIN.COM
71.250.0.39     Grant6.MYDOMAIN.COM
71.250.0.39     MYdata.MYDOMAIN.COM
71.250.0.39     OWNER-PC.MYDOMAIN.COM
71.250.0.39     SPEDLT11.MYDOMAIN.COM
71.250.0.39     STAFF02.MYDOMAIN.COM
71.250.0.39     _ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.COM
71.250.0.39     _ldap._tcp.MYDOMAIN.COM
71.250.0.39     _ldap._tcp.dc._msdcs.MYDOMAIN.COM
71.250.0.39     _ldap._tcp.e3ad7dba-7dab-4536-b71e-6636157e0cda.domains._msdcs.MYDOMAIN.COM
71.250.0.39     isatap.MYDOMAIN.COM
71.250.0.39     staffgpo.MYDOMAIN.COM
71.250.0.39     wpad.MYDOMAIN.COM
76.96.5.198     STAFF02.MYDOMAIN.COM
76.96.5.200     isatap.MYDOMAIN.COM
76.96.5.200     wpad.MYDOMAIN.COM
76.96.5.201     STAFF02.MYDOMAIN.COM
76.96.5.201     isatap.MYDOMAIN.COM
76.96.5.201     wpad.MYDOMAIN.COM

Now before anyone tells me to just DROP rule them in iptables, remember that many of these appear to be large commercial ISPs, so dropping them from both my master AND slave would prevent any legitimate queries from these ISPs as well. Mostly I just want to know what this is and/or make people aware of this, if it is an emerging exploit issue. Thanks! By the way, below is a sorted resolve for the IPs in the above list that actually have PTR records.

ns5a.townisp.com.
ns6.townisp.com.
ns7.townisp.com.
ns8.townisp.com.
town119.shrewsbury-ma.gov.
pxy06jcsntn.jcsn.tn.charter.com.
pxy07jcsntn.jcsn.tn.charter.com.
pxy05jcsntn.jcsn.tn.charter.com.
pxy01jcsntn.jcsn.tn.charter.com.
pxy02jcsntn.jcsn.tn.charter.com.
pxy03jcsntn.jcsn.tn.charter.com.
pxy04jcsntn.jcsn.tn.charter.com.
pxy01bycymi.bycy.mi.charter.com.
pxy03bycymi.bycy.mi.charter.com.
pxy02bycymi.bycy.mi.charter.com.
pxy04bycymi.bycy.mi.charter.com.
pxy01oxfrma.oxfr.ma.charter.com.
pxy02oxfrma.oxfr.ma.charter.com.
pxy03oxfrma.oxfr.ma.charter.com.
pxy04oxfrma.oxfr.ma.charter.com.
pxy05oxfrma.oxfr.ma.charter.com.
chlm-nrcns01.chelmsfdrdc2.ma.boston.comcast.net.
chlm-nrcns02.chelmsfdrdc2.ma.boston.comcast.net.
chlm-cns02.chelmsfdrdc2.ma.boston.comcast.net.
chlm-cns03.chelmsfdrdc2.ma.boston.comcast.net.
chlm-cns04.chelmsfdrdc2.ma.boston.comcast.net.
 
Sort by date Sort by votes
It looks like some form of bot that is performing reconnaissance, looking for places to try a more targeted exploit.

The reason I say this is that a lot of the queries contain ldap, kerberos, and student. This to me suggests that it is looking for a hit on something that contains a larger network with centralized authentication.

The fact that it hops around using different IPs suggests that you may be targeted by a botnet that is being directed from a centralized location, such as through an IRC channel.

That it is gentle probing, not DOS type traffic says that it is reconnaissance, that as your devshed post on this subject indicates unless you were specifically looking for it, or being vigilant in your log watching, you wouldn't notice it.
 
Upvote 0 Downvote
I will agree this is probably what is happening, but why do you suppose they relentlessly query over and over, day after day, the same queries? Wouldn't running just one scan be enough?

One thought I had was they are anticipating me adding a new service, then they find it right away, before I can configure it and get in under the default and "own" it.

Given that I can't blackhole queries from major ISPs there's nothing I can do about it but watch the queries come in every few minutes. Silly behavior on their part I think. Still, it's just one domain out of 60+ domains on that resolver, wonder what made them pick on that one, when we host a lot of bigger and more interesting/exploitable companies than that one. :p
 
Upvote 0 Downvote
You might find this thread of interest:
Specifically, the last post by unSpawn, which discusses a concept called using the autonomous system number to get the IP range of a provider and using this information to block them in iptables. You mentioned not wanting to block major ISPs and you might not have to. You might be able to target a small subset where the traffic is coming from. This may be enough to cause them to go away. You could further tune the system like adding rate limiting and looking only for DNS queries, etc. Left in place for a while, it may discourage the activity.

I am not sure why it would continue day after day, but this supports the thinking that it is a bot program, one without any real intelligence behind it. I had something like that recently at work, where a compromised(?) PC would scan another one day, after day, after day, and wouldn't accept the error response.

You could also look at using something like fail2ban, or other program with a temporary active response. These program swill scan the log files and can pattern match against rules written in regex. They will then ban the said IP for a period of time, typically 10 minutes, but you can increase it. You will probably need to write your own rules given the nature of the traffic, but it might be enough to make it stop for a while after a hit or two.
 
Upvote 0 Downvote
I believe I have finally identified what this is. I believe what I have been experiencing is an exploit of a stack overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. I am not an expert in Windows as I've never personally used a Windows computer of any kind (lucky me) so maybe someone in this thread can help me out with this? The exploit is listed in the Metasploit Framework as "Microsoft Workstation Service NetpManageIPCConnect Overflow".
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

KenMeans
  • Locked
  • Question
DNS Issues with wireless router behind Atlantic Broad band Business Modem
Replies
0
Views
2K
KenMeans
KenMeans
alpha76
  • Locked
  • Question
Advice on DNS setup/configuration
Replies
3
Views
2K
technome
technome
Propus Gemini
  • Locked
  • Question
BIND don't resolve Microsoft Teams URL
Replies
1
Views
2K
iggsterman
iggsterman
tbright
  • Locked
  • Question
DNS reverse lookup errors: zone 1.168.192.in-addr.arpa/IN: has no NS records
Replies
1
Views
3K
tbright
tbright
tomsmiths
  • Locked
  • Question
Unable to access my router
Replies
1
Views
2K
MarkSweetland
MarkSweetland

Part and Inventory Search

Sponsor

Back
Top