Re: Unsuspected "named" behaviour

[dewt <dewt () kc rr com>]

On Tuesday 07 August 2001 12:18 pm, Gustav wrote:
> Hi!
>
> While doing some searching after an imaginary bug on my name-server, I
> stumbled across something strange.
> I found "named" listening on an undocumented high udp-port. I haven't heard
> of this before, so I wondered if one of you geniouses could help me out. My
> paranoid side is screaming trojan, but I haven't found any documentation on
> the subject. Could anyone point me in the right direction?
>
> I'm running Bind 8.2.3 on a Linux box with kernel 2.2.16.
>
> regards
>
> Gustav

named will bind to a random udp port in addition to 53, you can lock this to 
a specific port by adding "query-source address * port 2048;" to your options 
in named.conf of course you could pick any port you want. it could still be a 
trojan, so i would set named to a fixed query source port and see if it binds 
to that one, if it does, no trojan, if it doesn't you've got one


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com