TCP/53 HACKER????
Scott Taylor
staylor at coloradomusic.com
Fri Nov 17 15:56:05 UTC 2000
It could just be someone just trying to do a zone transfer to list all the hosts
you have in DNS. It could be named-xfer, or some other tool that does this and
provides a nice graphical frontend. Not necessarily malicious, though often seen as
impolite and often blocked by admins at the router/firewall level.
Wiffle Boy wrote:
> On 16 Nov 2000 09:58:27 -0800, bart dumon <bart.dumon at belgium.eu.net>
> wrote:
>
> >
> >Ross wrote:
> >>
> >> I just found a few TCP/53 connections to some of my company machines. I
> >> know what UDP/53 is for. What is TCP 53 for? Is someone tellneting to port
> >> 53? After finding these suspicious TCP/53 port I did some AWK queries on my
> >> logs. Found several forign TCP/53 connections to some of my boxes. Found a
> >> some with data transfer and a few with large data transfer (1 or 2 meg).
> >> Havent had time to investigate..(Corporate firedrill). Any clue to what is
> >> going on. I know I should read. Just asking. Thanks
> >>
> >> Ross
> >
> >when an answer to a query is longer then what fits in a UDP packet, (512
> >bytes), the replying server will indicate he has truncated the answer.
> >the receiver will query again using TCP in stead of UDP.
> >
> >
> >bart
>
> Another possibility is that someone is using NMAP to sniff your
> network. CheckPoint FW-1 by default allows UPD/TCP 53 through. Nmap
> can be configured to use this port to enumerate the network behind the
> firewall. This would take a somewhat concerted effort on the remote
> attacker as it takes some time to do this. Your logs would/should
> show the same IP hitting everyone of your internal hosts on port upd
> 53.
>
> Just a thought.
> Craig
More information about the bind-users
mailing list