On Thu, Feb 22, 2001 at 12:02:38PM -0000, Barry Redmond wrote:
> I'm running a name server with versions of everything so old I'm too
> embarrassed to admit them, even to good friends like yourselves.
Have a read of http://www.isc.org/products/BIND/bind-security.html
> I'm seeing port scans of other machines on our network coming
> from port 53 on the name server. The name server shows nothing
> out of the ordinary in any logs or other information.
So the nameserver box is portscanning your network? The source port used
in the scan traffic is 53? This is unusual. If named is running it will
have bound to 53/TCP and 53/UDP on all your interfaces (by default). The
scan traffic, if answered by hosts on your network, would not be able to
be collected by the portscanning tool running on the nameserver. It
won't be able to bind to port 53 and so won't receive the responses.
If you have a BIND 8 nameserver, crank up the debugging to see if it is
logging malformed DNS packets.
> bouncing port scans through it. afaik, port 53 is usually used for
> redirected dns resolution.
53/TCP and 53/UDP are the ports a nameserver listens for queries on.
> Now I know the solution to this is to upgrade everything to the
> latest versions (and I will, honest), but I'd like to know what exploit
> is being used here and if there's a simple way to see where they're
> coming from. Does this look familiar to anyone?
If you suspect the machine is compromised the solution is to fire up
newfs then reinstall the OS.
James Raftery (JBR54)
"It's somewhere in the Red Hat district" -- A network engineer's
freudian slip when talking about Amsterdam's nightlife at RIPE 38.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!