Compromised BIND?

Ray Van Dolson rvandolson at
Tue May 31 18:59:42 UTC 2011

On Tue, May 31, 2011 at 11:38:13AM -0700, Supersonic wrote:
> I have a BIND 9.8.0-P2 server instance running on a production server. My
> firewall is showing repeated attempts by named.exe to connect to IP addresses
> in foreign countries on ports 6666, 6667 and 6669 - common IRC ports used by
> worms/trojans/zombies. Checking my named.exe file, it shows that it is
> unchanged from the installation source. Is this connection normal? Should I be
> allowing it?

No, that doesn't sound good at all.  You could sniff the traffic and
verify, but sounds like you've been compromised.


More information about the bind-users mailing list