Security Incidents mailing list archives
Re: Unsuspected "named" behaviour
From: dewt <dewt () kc rr com>
Date: Tue, 7 Aug 2001 17:31:04 -0500
On Tuesday 07 August 2001 12:18 pm, Gustav wrote:
Hi! While doing some searching after an imaginary bug on my name-server, I stumbled across something strange. I found "named" listening on an undocumented high udp-port. I haven't heard of this before, so I wondered if one of you geniouses could help me out. My paranoid side is screaming trojan, but I haven't found any documentation on the subject. Could anyone point me in the right direction? I'm running Bind 8.2.3 on a Linux box with kernel 2.2.16. regards Gustav
named will bind to a random udp port in addition to 53, you can lock this to a specific port by adding "query-source address * port 2048;" to your options in named.conf of course you could pick any port you want. it could still be a trojan, so i would set named to a fixed query source port and see if it binds to that one, if it does, no trojan, if it doesn't you've got one ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unsuspected "named" behaviour Gustav (Aug 07)
- Re: Unsuspected "named" behaviour dewt (Aug 07)
- Java 1.1.8 paired probes Jackie (Aug 16)
- Re: Unsuspected "named" behaviour dewt (Aug 07)