Re: Re: [suse-security] bind hack ?
Dear Roman, thanks a lot for your response. I was so worried when i read the other reply on my question. I use bind 9.1.2. I restarted the service once and the port number changed. The next 2 times (within 10 sec)the number did not change. is this normal too ? another question: i thought i might be hacked because i get emails from sex sites with To-adresses like EROTICA@[my.server.de] (<- replaced) is this normal ? greets from Gero who can sleep a bit better since yesterday ;)
I noticed that my name server is listening to a port that i have not expected (like port 80,25,21,110 etc..).
udp 0 0 127.0.0.1:53 0.0.0.0:* 475/named udp 0 0 0.0.0:52810 0.0.0.0:* 31475/named udp 0 :::53 :::* 31475/named
what is port 52810 ? yesterday is was another number like 46xxx...
Am i hacked ?
Negative. It looks like your bind8 has been restarted since yesterday. named binds to a port which will be the source port number for the queries it sends to other nameservers. This port can be configured in /etc/named.conf (like query-source address 213.68.230.226 port *;), but it isn't bound to a specific value by default. Each time you restart bind8, it will use another port.
Use "tcpdump -nvv udp and port 53" to see these requests with the source port that you see with "netstat -anp".
_______________________________________________________________________ 1.000.000 DM gewinnen - kostenlos tippen - http://millionenklick.web.de IhrName@web.de, 8MB Speicher, Verschluesselung - http://freemail.web.de
Gero Lindenblatt a écrit :
Dear Roman,
thanks a lot for your response. I was so worried when i read the other reply on my question. I use bind 9.1.2. I restarted the service once and the port number changed. The next 2 times (within 10 sec)the number did not change. is this normal too ?
another question: i thought i might be hacked because i get emails from sex is this normal ?
I sometimes get messages from my own sex too. But I must admit it still uses more physiological ways as I don't know how to configure it to ssend e-mails. I know it's slightly OT, but if anyone can help...
greets from Gero who can sleep a bit better since yesterday ;) 'cause he got an e-mail and took appropriate actions ?
NOTE : The quotes has been outrageously snipped -- ~adj~ Ces mystères nous dépassent Feignons d'en être l'organisateur...
participants (2)
-
Alain DIDIERJEAN
-
Gero Lindenblatt