<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font size="+1"><tt>I know.</tt></font></p>
<p><font size="+1"><tt>So far, the only files changed are the ones I
changed myself, like bind config files and vimrc.</tt></font></p>
<p><font size="+1"><tt>No hidden toolkit found too.</tt></font></p>
<p><font size="+1"><tt>I still think that it is easier to be a
misconfiguration done by myself.</tt></font></p>
<p><font size="+1"><tt>Still looking for better indications that
this could be the case.</tt></font><br>
</p>
<br>
<div class="moz-cite-prefix">On 07/02/2017 12:42, Alberto Colosi
wrote:<br>
</div>
<blockquote
cite="mid:CY4PR13MB1381712836B47A860CFC6C36A2430@CY4PR13MB1381.namprd13.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p>IP ports not open does not mean is not hacked.</p>
<p>a vulnerability can be used to make a change or an access</p>
<p><br>
</p>
<p>try to change and audit file access and permission firewall
log analisys can give a plus to find a solution (check all IP
traffic out from TCP/UDP 53)</p>
<p><br>
</p>
<p>If you have RNDC , change KEY or disable it</p>
<p><br>
</p>
<p><br>
</p>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
color="#000000" face="Calibri, sans-serif"><b>From:</b>
Raul Dias <a class="moz-txt-link-rfc2396E" href="mailto:raul@dias.com.br"><raul@dias.com.br></a><br>
<b>Sent:</b> Tuesday, February 7, 2017 3:34 PM<br>
<b>To:</b> Alberto Colosi; <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<b>Subject:</b> Re: bind 9 goes rogue and revert zone
information</font>
<div> </div>
</div>
<div>
<p dir="ltr">Sorry, <br>
Static files. <br>
It is the master server. <br>
No dynamic updates. <br>
Host under lxc with only bind ports open. </p>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Feb 7, 2017, 12:27 Alberto Colosi
<<a moz-do-not-send="true"
href="mailto:alcol@hotmail.com">alcol@hotmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;
border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr" class="gmail_msg">
<div id="m_-6378113803947496027divtagdefaultwrapper"
dir="ltr" class="gmail_msg" style="font-size:12pt;
color:#000000;
font-family:Calibri,Arial,Helvetica,sans-serif">
<p class="gmail_msg">hi is unclear named structure
if is a slave a master if dynamic updates are
enabled and if the unix box has been hacked
<br class="gmail_msg">
</p>
<p class="gmail_msg">as last , zones are static
files on fs ?<br class="gmail_msg">
</p>
<br class="gmail_msg">
<br class="gmail_msg">
<div class="gmail_msg" style="color:rgb(0,0,0)">
<div class="gmail_msg">
<hr class="gmail_msg"
style="display:inline-block; width:98%">
<div id="m_-6378113803947496027x_divRplyFwdMsg"
dir="ltr" class="gmail_msg"><font
class="gmail_msg" style="font-size:11pt"
color="#000000" face="Calibri, sans-serif"><b
class="gmail_msg">From:</b> bind-users
<<a moz-do-not-send="true"
href="mailto:bind-users-bounces@lists.isc.org"
class="gmail_msg" target="_blank">bind-users-bounces@lists.isc.org</a>>
on behalf of Raul Dias <<a
moz-do-not-send="true"
href="mailto:raul@dias.com.br"
class="gmail_msg" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:raul@dias.com.br">raul@dias.com.br</a></a>><br
class="gmail_msg">
<b class="gmail_msg">Sent:</b> Tuesday,
February 7, 2017 3:03 PM<br
class="gmail_msg">
<b class="gmail_msg">To:</b> <a
moz-do-not-send="true"
href="mailto:bind-users@lists.isc.org"
class="gmail_msg" target="_blank">
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a></a><br
class="gmail_msg">
<b class="gmail_msg">Subject:</b> bind 9
goes rogue and revert zone information</font>
<div class="gmail_msg"> </div>
</div>
</div>
<font class="gmail_msg" size="2"><span
class="gmail_msg" style="font-size:10pt">
</span></font></div>
</div>
</div>
<div dir="ltr" class="gmail_msg">
<div id="m_-6378113803947496027divtagdefaultwrapper"
dir="ltr" class="gmail_msg" style="font-size:12pt;
color:#000000;
font-family:Calibri,Arial,Helvetica,sans-serif">
<div class="gmail_msg" style="color:rgb(0,0,0)"><font
class="gmail_msg" size="2"><span
class="gmail_msg" style="font-size:10pt">
<div class="m_-6378113803947496027PlainText
gmail_msg">Hello,<br class="gmail_msg">
<br class="gmail_msg">
I have a very strange behavior that I am
failing to understand.<br class="gmail_msg">
<br class="gmail_msg">
2 to 5 times a week, a named server revert
back to a previous version os <br
class="gmail_msg">
a master zone.<br class="gmail_msg">
This happens during the night, usually
around 20h EST.<br class="gmail_msg">
<br class="gmail_msg">
This zone has a serial of 3017020401 (yes, I
typo the 3 somewhere in the <br
class="gmail_msg">
past).<br class="gmail_msg">
When it reverts its zone information, it
goes back to 3016060101.<br
class="gmail_msg">
<br class="gmail_msg">
I have updated, restarted the host, clean
all cache and journal files, <br
class="gmail_msg">
grep all files in the host for 3016060101
(just shows up in the logs).<br
class="gmail_msg">
<br class="gmail_msg">
So, I have no clue why, or how it is
happening. Where does it get the <br
class="gmail_msg">
old information.<br class="gmail_msg">
<br class="gmail_msg">
I thought first about the serial, but it
would have happened in the past <br
class="gmail_msg">
too, right? As it should be a 32bit
unsigned integer, it shouldn't be a <br
class="gmail_msg">
problem, IMHO.<br class="gmail_msg">
<br class="gmail_msg">
Yet, when "dig domain -t SOA @server", it is
there again.<br class="gmail_msg">
<br class="gmail_msg">
The host is a debian Jessie and bind is
9.9.5, 1:9.9.5.dfsg-9+deb8u8 <br
class="gmail_msg">
more specifically.<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
Thanks for any direction.<br
class="gmail_msg">
-rsd<br class="gmail_msg">
</div>
</span></font></div>
</div>
</div>
<div dir="ltr" class="gmail_msg">
<div id="m_-6378113803947496027divtagdefaultwrapper"
dir="ltr" class="gmail_msg" style="font-size:12pt;
color:#000000;
font-family:Calibri,Arial,Helvetica,sans-serif">
<div class="gmail_msg" style="color:rgb(0,0,0)"><font
class="gmail_msg" size="2"><span
class="gmail_msg" style="font-size:10pt">
<div class="m_-6378113803947496027PlainText
gmail_msg">_______________________________________________<br
class="gmail_msg">
Please visit <a moz-do-not-send="true"
href="https://lists.isc.org/mailman/listinfo/bind-users"
id="m_-6378113803947496027LPlnk466544"
class="gmail_msg" target="_blank">
https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe
from this list
<div
id="m_-6378113803947496027LPBorder_GT_14864775824190.4043319260749525"
class="gmail_msg"
style="margin-bottom:20px; overflow:auto;
width:100%; text-indent:0px">
<table
id="m_-6378113803947496027LPContainer_14864775824160.13849999929841195"
class="gmail_msg" style="width:90%;
background-color:rgb(255,255,255);
overflow:auto; padding-top:20px;
padding-bottom:20px; margin-top:20px;
border-top:1px dotted rgb(200,200,200);
border-bottom:1px dotted
rgb(200,200,200)" cellspacing="0">
<tbody class="gmail_msg">
<tr class="gmail_msg"
style="border-spacing:0px"
valign="top">
<td
id="m_-6378113803947496027TextCell_14864775824170.7564930497559307"
colspan="2" class="gmail_msg"
style="vertical-align:top;
padding:0px; display:table-cell">
<div
id="m_-6378113803947496027LPRemovePreviewContainer_14864775824170.43017907344134954"
class="gmail_msg">
</div>
<div
id="m_-6378113803947496027LPTitle_14864775824170.19200812919455768"
class="gmail_msg"
style="color:rgb(0,120,215);
font-weight:400; font-size:21px;
font-family:"wf_segoe-ui_light","Segoe UI
Light","Segoe WP
Light","Segoe
UI","Segoe
WP",Tahoma,Arial,sans-serif;
line-height:21px">
<a moz-do-not-send="true"
id="m_-6378113803947496027LPUrlAnchor_14864775824180.1512364738465708"
href="https://lists.isc.org/mailman/listinfo/bind-users"
class="gmail_msg"
target="_blank"
style="text-decoration:none">bind-users
Info Page - Internet Systems
Consortium</a></div>
<div
id="m_-6378113803947496027LPMetadata_14864775824180.916798881690403"
class="gmail_msg"
style="margin:10px 0px 16px;
color:rgb(102,102,102);
font-weight:400;
font-family:"wf_segoe-ui_normal","Segoe
UI","Segoe
WP",Tahoma,Arial,sans-serif;
font-size:14px;
line-height:14px">
<a moz-do-not-send="true"
href="http://lists.isc.org"
class="gmail_msg"
target="_blank">lists.isc.org</a></div>
<div
id="m_-6378113803947496027LPDescription_14864775824180.2670839929936373"
class="gmail_msg"
style="display:block;
color:rgb(102,102,102);
font-weight:400;
font-family:"wf_segoe-ui_normal","Segoe
UI","Segoe
WP",Tahoma,Arial,sans-serif;
font-size:14px;
line-height:20px;
max-height:100px;
overflow:hidden">
To see the collection of prior
postings to the list, visit the
bind-users Archives. Using
bind-users: To post a message to
all the list members, send ...</div>
</td>
</tr>
</tbody>
</table>
</div>
<br class="gmail_msg">
<br class="gmail_msg">
bind-users mailing list<br class="gmail_msg">
<a moz-do-not-send="true"
href="mailto:bind-users@lists.isc.org"
class="gmail_msg" target="_blank">bind-users@lists.isc.org</a><br
class="gmail_msg">
<a moz-do-not-send="true"
href="https://lists.isc.org/mailman/listinfo/bind-users"
id="m_-6378113803947496027LPlnk936340"
class="gmail_msg" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a>
<div
id="m_-6378113803947496027LPBorder_GT_14864775824060.9236100371214397"
class="gmail_msg"
style="margin-bottom:20px; overflow:auto;
width:100%; text-indent:0px">
<table
id="m_-6378113803947496027LPContainer_14864775824030.17638056296957494"
class="gmail_msg" style="width:90%;
background-color:rgb(255,255,255);
overflow:auto; padding-top:20px;
padding-bottom:20px; margin-top:20px;
border-top:1px dotted rgb(200,200,200);
border-bottom:1px dotted
rgb(200,200,200)" cellspacing="0">
<tbody class="gmail_msg">
<tr class="gmail_msg"
style="border-spacing:0px"
valign="top">
<td
id="m_-6378113803947496027TextCell_14864775824040.48113321329058234"
colspan="2" class="gmail_msg"
style="vertical-align:top;
padding:0px; display:table-cell">
<div
id="m_-6378113803947496027LPRemovePreviewContainer_14864775824040.8890874910058216"
class="gmail_msg">
</div>
<div
id="m_-6378113803947496027LPTitle_14864775824040.45845883886540384"
class="gmail_msg"
style="color:rgb(0,120,215);
font-weight:400; font-size:21px;
font-family:"wf_segoe-ui_light","Segoe UI
Light","Segoe WP
Light","Segoe
UI","Segoe
WP",Tahoma,Arial,sans-serif;
line-height:21px">
<a moz-do-not-send="true"
id="m_-6378113803947496027LPUrlAnchor_14864775824040.9979807710434343"
href="https://lists.isc.org/mailman/listinfo/bind-users"
class="gmail_msg"
target="_blank"
style="text-decoration:none">bind-users
Info Page - Internet Systems
Consortium</a></div>
<div
id="m_-6378113803947496027LPMetadata_14864775824050.07716195786181723"
class="gmail_msg"
style="margin:10px 0px 16px;
color:rgb(102,102,102);
font-weight:400;
font-family:"wf_segoe-ui_normal","Segoe
UI","Segoe
WP",Tahoma,Arial,sans-serif;
font-size:14px;
line-height:14px">
<a moz-do-not-send="true"
href="http://lists.isc.org"
class="gmail_msg"
target="_blank">lists.isc.org</a></div>
<div
id="m_-6378113803947496027LPDescription_14864775824050.6037070824872509"
class="gmail_msg"
style="display:block;
color:rgb(102,102,102);
font-weight:400;
font-family:"wf_segoe-ui_normal","Segoe
UI","Segoe
WP",Tahoma,Arial,sans-serif;
font-size:14px;
line-height:20px;
max-height:100px;
overflow:hidden">
To see the collection of prior
postings to the list, visit the
bind-users Archives. Using
bind-users: To post a message to
all the list members, send ...</div>
</td>
</tr>
</tbody>
</table>
</div>
<br class="gmail_msg">
</div>
</span></font></div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Att. Raul Dias</pre>
</body>
</html>