log file full of t-syr.com record!

Mark Andrews Mark_Andrews at isc.org
Tue Jul 3 13:56:52 UTC 2007


> Hi All,
> My BIND log is full of following entries.
> 
> 03-Jul-2007 20:10:48.352 queries: info: client 127.0.0.1#38736: query:
> t-syr.com IN A +
> 03-Jul-2007 20:10:51.760 queries: info: client 127.0.0.1#38736: query:
> 164.80.32.60.in-addr.arpa IN PTR +
> 03-Jul-2007 20:10:51.761 queries: info: client 127.0.0.1#38736: query:
> t-syr.com IN A +
> 03-Jul-2007 20:10:52.041 queries: info: client 127.0.0.1#38736: query:
> 164.80.32.60.in-addr.arpa IN PTR +
> 03-Jul-2007 20:10:52.042 queries: info: client 127.0.0.1#38736: query:
> t-syr.com IN A +
> 03-Jul-2007 20:10:55.239 queries: info: client 127.0.0.1#38736: query:
> 164.80.32.60.in-addr.arpa IN PTR +
> 03-Jul-2007 20:10:55.241 queries: info: client 127.0.0.1#38736: query:
> t-syr.com IN A +
> 03-Jul-2007 20:10:55.247 queries: info: client 127.0.0.1#38736: query:
> 164.80.32.60.in-addr.arpa IN PTR +
> 03-Jul-2007 20:10:55.249 queries: info: client 127.0.0.1#38736: query:
> t-syr.com IN A +
> 03-Jul-2007 20:10:58.620 queries: info: client 127.0.0.1#38736: query:
> 164.80.32.60.in-addr.arpa IN PTR +
> 03-Jul-2007 20:10:58.621 queries: info: client 127.0.0.1#38737: query:
> 164.80.32.60.in-addr.arpa IN PTR +
> 03-Jul-2007 20:10:58.622 queries: info: client 127.0.0.1#38738: query:
> t-syr.com IN A +
> 03-Jul-2007 20:10:58.624 queries: info: client 127.0.0.1#38739: query:
> t-syr.com IN A +
> 
> 
> The port numbers 387** are opened by user "bind".
> This is giving me a feeling that may be my machine is compromised!?
> Why should BIND daemon continuously ask for t-syr.com ?? Probably
> these DNS query packets are spoofed packets. Any comments?

	I suggest that you show how you worked that out.

	What I am see is local clients doing a reverse lookups on
	60.32.80.164 then validating the response. The above port
	pattern is typical of a Linux kernel that keep reissuing
	the same port as long as it is free when the next socket
	is opened.  This is really bad behaviour on the part of
	the kernel.

> -- 
> Best Regards,
> Vishwas.
> ivishwas.googlepages.com
> 
> I know quite certainly that I myself have no special talent;
> curiosity, obsession and dogged endurance, combined with
> self-criticism have brought me to my ideas. - Albert Einstein
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list