Dear Roman, thanks a lot for your response. I was so worried when i read the other reply on my question. I use bind 9.1.2. I restarted the service once and the port number changed. The next 2 times (within 10 sec)the number did not change. is this normal too ? another question: i thought i might be hacked because i get emails from sex sites with To-adresses like EROTICA@[my.server.de] (<- replaced) is this normal ? greets from Gero who can sleep a bit better since yesterday ;)
I noticed that my name server is listening to a port that i have not expected (like port 80,25,21,110 etc..).
udp 0 0 127.0.0.1:53 0.0.0.0:* 475/named udp 0 0 0.0.0:52810 0.0.0.0:* 31475/named udp 0 :::53 :::* 31475/named
what is port 52810 ? yesterday is was another number like 46xxx...
Am i hacked ?
Negative. It looks like your bind8 has been restarted since yesterday. named binds to a port which will be the source port number for the queries it sends to other nameservers. This port can be configured in /etc/named.conf (like query-source address 213.68.230.226 port *;), but it isn't bound to a specific value by default. Each time you restart bind8, it will use another port.
Use "tcpdump -nvv udp and port 53" to see these requests with the source port that you see with "netstat -anp".
_______________________________________________________________________ 1.000.000 DM gewinnen - kostenlos tippen - http://millionenklick.web.de IhrName@web.de, 8MB Speicher, Verschluesselung - http://freemail.web.de