Strange connections - bind exploit?
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Wed Jun 19 08:06:24 UTC 2002
> Hi!
>
> I've noticed some strange connection attempts via UDP from my bind 8.
> I tries to contact many closed ports, inreasing the port number and trying
> again, logs look like that:
>
> Jun 17 11:01:54 brown /kernel: Connection attempt to UDP 127.0.0.1:3202 from
> 127.0.0.1:53
> > Jun 17 11:26:56 brown /kernel: Connection attempt to UDP 127.0.0.1:3427
> from 127.0.0.1:53
> > Jun 17 11:56:44 brown /kernel: Connection attempt to UDP 127.0.0.1:3529
> from 127.0.0.1:53
> > Jun 17 12:26:44 brown /kernel: Connection attempt to UDP 127.0.0.1:3582
> from 127.0.0.1:53
> and it may end ay sth like 8000 UDP port. It happens irregularly, sometimes
> the port number gradient is different (10 or 1).
>
> My question is whether those connections attmepts are the result of a proper
> bind works it may be some kind of an exploit or troian horse using my bind
> demon?
>
> Adam
No. They are normal. All it indicates is that the client stopped
listening before named sent it response.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list