Compromised BIND?

[Kevin Darcy]

On 5/31/2011 2:38 PM, Supersonic wrote:
> I have a BIND 9.8.0-P2 server instance running on a production server.

Doing what, exactly? Resolving internal names only? Resolving Internet 
names? Acting as an authoritative server for internal clients? Internet 
clients? Some combination of the above?

> My firewall is showing repeated attempts by named.exe to connect to IP 
> addresses in foreign countries on ports 6666, 6667 and 6669 - common 
> IRC ports used by worms/trojans/zombies. Checking my named.exe file, 
> it shows that it is unchanged from the installation source. Is this 
> connection normal? Should I be allowing it?
>
TCP connections or UDP packets?

If you're serving authoritative data to Internet clients, then my guess 
is your firewall simply isn't "stateful" enough to realize that these 
are responses to DNS queries that originally came in from Internet 
clients using those port numbers. Just because they are "common IRC 
ports used by worms/trojans/zombies" doesn't preclude them from also 
being chosen at random as the source ports of incoming queries to your 
nameserver. Responses go back to the same port from which the query was 
received.

If they're outgoing TCP connections, I'd be worried. Offhand, I can't 
think of any legitimate reason why named would be trying to TCP-connect 
to any port other than 53.

                                                                         
                                                                         
         - Kevin