Compromised BIND?

Torinthiel torinthiel at data.pl
Tue May 31 19:48:13 UTC 2011


On 05/31/11 20:38, Supersonic wrote:
> I have a BIND 9.8.0-P2 server instance running on a production server.
> My firewall is showing repeated attempts by named.exe to connect to IP
> addresses in foreign countries on ports 6666, 6667 and 6669 - common IRC
> ports used by worms/trojans/zombies. Checking my named.exe file, it
> shows that it is unchanged from the installation source. Is this
> connection normal? Should I be allowing it?

Looks bad.
Guessing by named.exe you're running windows.
Try checking if it's the same named.exe that you think - I've seen worms
disguising themselves as same name only different folder, or as "named
.exe" with space appended to base name. Looks great if you have hidded
extensions, as it seems you have two files with name "named".
Torinthiel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110531/237e3390/attachment.bin>


More information about the bind-users mailing list