[ILUG] Port 53 exploit?
James Raftery
james-ilug at now.ie
Thu Feb 22 14:13:27 GMT 2001
On Thu, Feb 22, 2001 at 12:02:38PM -0000, Barry Redmond wrote:
> I'm running a name server with versions of everything so old I'm too
> embarrassed to admit them, even to good friends like yourselves.
Have a read of http://www.isc.org/products/BIND/bind-security.html
> I'm seeing port scans of other machines on our network coming
> from port 53 on the name server. The name server shows nothing
> out of the ordinary in any logs or other information.
So the nameserver box is portscanning your network? The source port used
in the scan traffic is 53? This is unusual. If named is running it will
have bound to 53/TCP and 53/UDP on all your interfaces (by default). The
scan traffic, if answered by hosts on your network, would not be able to
be collected by the portscanning tool running on the nameserver. It
won't be able to bind to port 53 and so won't receive the responses.
If you have a BIND 8 nameserver, crank up the debugging to see if it is
logging malformed DNS packets.
> bouncing port scans through it. afaik, port 53 is usually used for
> redirected dns resolution.
53/TCP and 53/UDP are the ports a nameserver listens for queries on.
> Now I know the solution to this is to upgrade everything to the
> latest versions (and I will, honest), but I'd like to know what exploit
> is being used here and if there's a simple way to see where they're
> coming from. Does this look familiar to anyone?
If you suspect the machine is compromised the solution is to fire up
newfs then reinstall the OS.
james
--
James Raftery (JBR54)
"It's somewhere in the Red Hat district" -- A network engineer's
freudian slip when talking about Amsterdam's nightlife at RIPE 38.
More information about the ILUG
mailing list