Compromised BIND?

Frank Bulk frnkblk at iname.com
Wed Jun 1 04:30:55 UTC 2011 

Yes, this message arrived in my Inbox 44 minutes after it was sent.

Frank

-----Original Message-----
From: bind-users-bounces+frnkblk=iname.com at lists.isc.org
[mailto:bind-users-bounces+frnkblk=iname.com at lists.isc.org] On Behalf Of
Warren Kumari
Sent: Tuesday, May 31, 2011 4:59 PM
To: Warren Kumari
Cc: bind-users at lists.isc.org
Subject: Re: Compromised BIND?

Does anyone else find the bind-users list to be very slow?

webster.isc.org (localhost [IPv6:::1]) Tue, 31 May 2011 19:48:30 +0000 ->
webster.isc.org (webster.isc.org) Tue, 31 May 2011 20:52:09 +0000 

Or is it just me seeing this?

W


On May 31, 2011, at 4:17 PM, Warren Kumari wrote:

> 
> On May 31, 2011, at 3:22 PM, Kevin Darcy wrote:
> 
>> On 5/31/2011 2:38 PM, Supersonic wrote:
>>> I have a BIND 9.8.0-P2 server instance running on a production server.
>> 
>> Doing what, exactly? Resolving internal names only? Resolving Internet
names? Acting as an authoritative server for internal clients? Internet
clients? Some combination of the above?
>> 
>>> My firewall is showing repeated attempts by named.exe to connect to IP
addresses in foreign countries on ports 6666, 6667 and 6669 - common IRC
ports used by worms/trojans/zombies. Checking my named.exe file, it shows
that it is unchanged from the installation source. Is this connection
normal? Should I be allowing it?
>>> 
>> TCP connections or UDP packets?
>> 
>> If you're serving authoritative data to Internet clients, then my guess
is your firewall simply isn't "stateful" enough to realize that these are
responses to DNS queries that originally came in from Internet clients using
those port numbers. Just because they are "common IRC ports used by
worms/trojans/zombies" doesn't preclude them from also being chosen at
random as the source ports of incoming queries to your nameserver. Responses
go back to the same port from which the query was received.
> 
> 
> Can you make a distribution of ports and see if it contacts other port
numbers with approximately the same frequency? I'm guessing this is just the
FW / IDS being "helpful"....
> 
> W
> 
>> 
>> If they're outgoing TCP connections, I'd be worried. Offhand, I can't
think of any legitimate reason why named would be trying to TCP-connect to
any port other than 53.
>> 
>>
- Kevin
>> 
>> 
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>> 
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list