Compromised BIND?

Tue May 31 20:17:18 UTC 2011

On May 31, 2011, at 3:22 PM, Kevin Darcy wrote:

> On 5/31/2011 2:38 PM, Supersonic wrote:
>> I have a BIND 9.8.0-P2 server instance running on a production server.
> 
> Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal clients? Internet clients? Some combination of the above?
> 
>> My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports 6666, 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it?
>> 
> TCP connections or UDP packets?
> 
> If you're serving authoritative data to Internet clients, then my guess is your firewall simply isn't "stateful" enough to realize that these are responses to DNS queries that originally came in from Internet clients using those port numbers. Just because they are "common IRC ports used by worms/trojans/zombies" doesn't preclude them from also being chosen at random as the source ports of incoming queries to your nameserver. Responses go back to the same port from which the query was received.

Can you make a distribution of ports and see if it contacts other port numbers with approximately the same frequency? I'm guessing this is just the FW / IDS being "helpful"....

W

> 
> If they're outgoing TCP connections, I'd be worried. Offhand, I can't think of any legitimate reason why named would be trying to TCP-connect to any port other than 53.
> 
>                                                                                                                                                        - Kevin
> 
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 