The scan is far from complete, but early results are the following top results:
97087 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6
61689 dnsmasq-2.52
56813 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6
42333 dnsmasq-2.40
35749 9.7.3
31467 none
25535 yamutech-bind
24592 Nominum Vantio 5.3.0.0
24193 dnsmasq-2.51
23174 skbroadband
20005 Nominum Vantio 4.3.0.2
19836 9.8.1-P1
18790 Cyber World Leader Kornet!
17901 Why query me?Your IP had been logged!
17137 unknown
15553 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4
14760 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.5
13178 dnsmasq-2.45
13089 dnsmasq-2.48
11498 Hello!
These are the raw strings, which have narrow version numbers. I need to re-process this to get distinct products like "Nominum" or "dnsmasq" or "BIND". BIND (with numbers like 9.7.3) appears to be the leader so far. The 'dnsmasq' system is not a server but a forwarder often used in home gateways. This tells me that there are a bazillion home devices that can be exploited for bad stuff like DNS reflection.
I'm sending a packet that is equivalent to "dig chaos txt version.bind" at every IP address, 0.0.0.0/0, minus our "exclude" ranges of people who have asked us not to scan them. I'm using the code at https://github.com/robertdavidgraham/masscan, with the settings "-pU:53 --banners".
Our scans are coming from 209.126.230.72. This has changed from our previous scans (from v), but we won't be changing it again for a long time. It's a good IP address to add to your firewalls if you want to opt-out of our scans. Also, you can just email us and we'll add you to our exclude list.
Our scans are coming from 209.126.230.72. This has changed from our previous scans (from v), but we won't be changing it again for a long time. It's a good IP address to add to your firewalls if you want to opt-out of our scans. Also, you can just email us and we'll add you to our exclude list.
Here is what it looks like from our end - if you're curious. This is for 4 non sequential /24's.
ReplyDeletehttp://imgur.com/2ticeFM
What timezone is that?
ReplyDelete