Possible System Compromise

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Wed Feb 7 21:32:30 UTC 2001


> 	My thanks to those who responded and explained what is
> most likely happening.  I remember reading something to the
> effect that modern bind used unprivileged port numbers, but I wasn't
> sure why anybody would complain.  If they are set up to play by
> the rules of bind-4, then I am sure these high-numbered ports
> look like terrorism, for sure in the firewall log.
> 
> Martin McCormick
> 

	The problem was that you were querying that server and they
	wern't expecting you too.  The IP address was being rejected
	not the port.

Feb  7 00:34:54 athena named[2658]: denied query from [ouraddress].42061
for "anothersystem"    

	Now you need to work out why your server queried there server.
	The usual cause is a bad delegation.   However it could also
	be someone running dig/nslookup on your machine.

	Mark

--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com


More information about the bind-users mailing list