LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Port 53 exploit?

[ILUG] Port 53 exploit?

James Raftery james-ilug at now.ie
Thu Feb 22 14:13:27 GMT 2001 

On Thu, Feb 22, 2001 at 12:02:38PM -0000, Barry Redmond wrote:
> I'm running a name server with versions of everything so old I'm too 
> embarrassed to admit them, even to good friends like yourselves.  

Have a read of http://www.isc.org/products/BIND/bind-security.html

> I'm seeing port scans of other machines on our network coming 
> from port 53 on the name server.  The name server shows nothing 
> out of the ordinary in any logs or other information.

So the nameserver box is portscanning your network? The source port used
in the scan traffic is 53? This is unusual. If named is running it will
have bound to 53/TCP and 53/UDP on all your interfaces (by default). The
scan traffic, if answered by hosts on your network, would not be able to
be collected by the portscanning tool running on the nameserver. It
won't be able to bind to port 53 and so won't receive the responses.

If you have a BIND 8 nameserver, crank up the debugging to see if it is
logging malformed DNS packets.

> bouncing port scans through it.  afaik, port 53 is usually used for 
> redirected dns resolution.

53/TCP and 53/UDP are the ports a nameserver listens for queries on.

> Now I know the solution to this is to upgrade everything to the 
> latest versions (and I will, honest), but I'd like to know what exploit 
> is being used here and if there's a simple way to see where they're 
> coming from.  Does this look familiar to anyone?

If you suspect the machine is compromised the solution is to fire up
newfs then reinstall the OS.


james
-- 
James Raftery (JBR54)
  "It's somewhere in the Red Hat district"  --  A network engineer's
   freudian slip when talking about Amsterdam's nightlife at RIPE 38.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell