TCP/53 HACKER????

Scott Taylor staylor at coloradomusic.com
Fri Nov 17 15:56:05 UTC 2000


It could just be someone just trying to do a zone transfer to list all the hosts
you have in DNS. It could be named-xfer, or some other tool that does this and
provides a nice graphical frontend. Not necessarily malicious, though often seen as
impolite and often blocked by admins at the router/firewall level.


Wiffle Boy wrote:

> On 16 Nov 2000 09:58:27 -0800, bart dumon <bart.dumon at belgium.eu.net>
> wrote:
>
> >
> >Ross wrote:
> >>
> >> I just found a few TCP/53 connections to some of my company machines.  I
> >> know what UDP/53 is for.  What is TCP 53 for?  Is someone tellneting to port
> >> 53?  After finding these suspicious TCP/53 port I did some AWK queries on my
> >> logs.  Found several forign TCP/53 connections to some of my boxes.  Found a
> >> some with data transfer and a few with large data transfer (1 or 2 meg).
> >> Havent had time to investigate..(Corporate firedrill).  Any clue to what is
> >> going on.  I know I should read.  Just asking.  Thanks
> >>
> >> Ross
> >
> >when an answer to a query is longer then what fits in a UDP packet, (512
> >bytes), the replying server will indicate he has truncated the answer.
> >the receiver will query again using TCP in stead of UDP.
> >
> >
> >bart
>
> Another possibility is that someone is using NMAP to sniff your
> network.  CheckPoint FW-1 by default allows UPD/TCP 53 through.  Nmap
> can be configured to use this port to enumerate the network behind the
> firewall.  This would take a somewhat concerted effort on the remote
> attacker as it takes some time to do this.  Your logs would/should
> show the same IP hitting everyone of your internal hosts on port upd
> 53.
>
> Just a thought.
> Craig




More information about the bind-users mailing list