Compromised BIND?
Ray Van Dolson
rvandolson at esri.com
Tue May 31 18:59:42 UTC 2011
On Tue, May 31, 2011 at 11:38:13AM -0700, Supersonic wrote:
> I have a BIND 9.8.0-P2 server instance running on a production server. My
> firewall is showing repeated attempts by named.exe to connect to IP addresses
> in foreign countries on ports 6666, 6667 and 6669 - common IRC ports used by
> worms/trojans/zombies. Checking my named.exe file, it shows that it is
> unchanged from the installation source. Is this connection normal? Should I be
> allowing it?
No, that doesn't sound good at all. You could sniff the traffic and
verify, but sounds like you've been compromised.
Ray
More information about the bind-users
mailing list