Re: Compromised BIND?
On Tue, May 31, 2011 at 05:59:08PM -0400, Warren Kumari war...@kumari.net wrote a message of 52 lines which said: Does anyone else find the bind-users list to be very slow? Same problem for me. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[OT] Re: Compromised BIND?
Zitat von Stephane Bortzmeyer bortzme...@nic.fr: On Tue, May 31, 2011 at 05:59:08PM -0400, Warren Kumari war...@kumari.net wrote a message of 52 lines which said: Does anyone else find the bind-users list to be very slow? Same problem for me. No wonder the list is slow if everyone send a confirmation that it is slow ;-) I suspect that ISC is working on it and after all it is only a imbalance in the store-and-forward principle of e-mail. Regards Andreas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Slow list [was: Re: Compromised BIND?]
Does anyone else find the bind-users list to be very slow? Yes, very. [Pressing 's'end at 09:54 CET] -JP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slow list [was: Re: Compromised BIND?]
On Wed, Jun 01, 2011 at 09:54:04AM +0200, Jan-Piet Mens wrote: Does anyone else find the bind-users list to be very slow? Yes, very. [Pressing 's'end at 09:54 CET] I think it's moderated. Sending at 11:16 UTC. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
On Tue, May 31, 2011 at 11:38:13AM -0700, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? No, that doesn't sound good at all. You could sniff the traffic and verify, but sounds like you've been compromised. Ray ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
On 5/31/2011 2:38 PM, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal clients? Internet clients? Some combination of the above? My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? TCP connections or UDP packets? If you're serving authoritative data to Internet clients, then my guess is your firewall simply isn't stateful enough to realize that these are responses to DNS queries that originally came in from Internet clients using those port numbers. Just because they are common IRC ports used by worms/trojans/zombies doesn't preclude them from also being chosen at random as the source ports of incoming queries to your nameserver. Responses go back to the same port from which the query was received. If they're outgoing TCP connections, I'd be worried. Offhand, I can't think of any legitimate reason why named would be trying to TCP-connect to any port other than 53. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
On Tue, May 31, 2011 at 02:38:13PM -0400, Supersonic wbpfs...@gmail.com wrote a message of 38 lines which said: My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 Not enough information to decide. For instance, what was the source port of these packets? If it is 53, it may simply be BIND answering to requests having the source port . ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
I have a BIND 9.8.0-P2 server instance running on a production server. My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Sounds like you're running an IRC bot... -JP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
On 05/31/11 20:38, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? Looks bad. Guessing by named.exe you're running windows. Try checking if it's the same named.exe that you think - I've seen worms disguising themselves as same name only different folder, or as named .exe with space appended to base name. Looks great if you have hidded extensions, as it seems you have two files with name named. Torinthiel signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
On May 31, 2011, at 3:22 PM, Kevin Darcy wrote: On 5/31/2011 2:38 PM, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal clients? Internet clients? Some combination of the above? My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? TCP connections or UDP packets? If you're serving authoritative data to Internet clients, then my guess is your firewall simply isn't stateful enough to realize that these are responses to DNS queries that originally came in from Internet clients using those port numbers. Just because they are common IRC ports used by worms/trojans/zombies doesn't preclude them from also being chosen at random as the source ports of incoming queries to your nameserver. Responses go back to the same port from which the query was received. Can you make a distribution of ports and see if it contacts other port numbers with approximately the same frequency? I'm guessing this is just the FW / IDS being helpful W If they're outgoing TCP connections, I'd be worried. Offhand, I can't think of any legitimate reason why named would be trying to TCP-connect to any port other than 53. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
Does anyone else find the bind-users list to be very slow? webster.isc.org (localhost [IPv6:::1]) Tue, 31 May 2011 19:48:30 + - webster.isc.org (webster.isc.org) Tue, 31 May 2011 20:52:09 + Or is it just me seeing this? W On May 31, 2011, at 4:17 PM, Warren Kumari wrote: On May 31, 2011, at 3:22 PM, Kevin Darcy wrote: On 5/31/2011 2:38 PM, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal clients? Internet clients? Some combination of the above? My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? TCP connections or UDP packets? If you're serving authoritative data to Internet clients, then my guess is your firewall simply isn't stateful enough to realize that these are responses to DNS queries that originally came in from Internet clients using those port numbers. Just because they are common IRC ports used by worms/trojans/zombies doesn't preclude them from also being chosen at random as the source ports of incoming queries to your nameserver. Responses go back to the same port from which the query was received. Can you make a distribution of ports and see if it contacts other port numbers with approximately the same frequency? I'm guessing this is just the FW / IDS being helpful W If they're outgoing TCP connections, I'd be worried. Offhand, I can't think of any legitimate reason why named would be trying to TCP-connect to any port other than 53. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Compromised BIND?
Yes, this message arrived in my Inbox 44 minutes after it was sent. Frank -Original Message- From: bind-users-bounces+frnkblk=iname@lists.isc.org [mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of Warren Kumari Sent: Tuesday, May 31, 2011 4:59 PM To: Warren Kumari Cc: bind-users@lists.isc.org Subject: Re: Compromised BIND? Does anyone else find the bind-users list to be very slow? webster.isc.org (localhost [IPv6:::1]) Tue, 31 May 2011 19:48:30 + - webster.isc.org (webster.isc.org) Tue, 31 May 2011 20:52:09 + Or is it just me seeing this? W On May 31, 2011, at 4:17 PM, Warren Kumari wrote: On May 31, 2011, at 3:22 PM, Kevin Darcy wrote: On 5/31/2011 2:38 PM, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal clients? Internet clients? Some combination of the above? My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? TCP connections or UDP packets? If you're serving authoritative data to Internet clients, then my guess is your firewall simply isn't stateful enough to realize that these are responses to DNS queries that originally came in from Internet clients using those port numbers. Just because they are common IRC ports used by worms/trojans/zombies doesn't preclude them from also being chosen at random as the source ports of incoming queries to your nameserver. Responses go back to the same port from which the query was received. Can you make a distribution of ports and see if it contacts other port numbers with approximately the same frequency? I'm guessing this is just the FW / IDS being helpful W If they're outgoing TCP connections, I'd be worried. Offhand, I can't think of any legitimate reason why named would be trying to TCP-connect to any port other than 53. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Compromised BIND?
Yes, this message arrived in my Inbox 44 minutes after it was sent. Frank -Original Message- From: bind-users-bounces+frnkblk=iname@lists.isc.org [mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of Warren Kumari Sent: Tuesday, May 31, 2011 4:59 PM To: Warren Kumari Cc: bind-users@lists.isc.org Subject: Re: Compromised BIND? Does anyone else find the bind-users list to be very slow? webster.isc.org (localhost [IPv6:::1]) Tue, 31 May 2011 19:48:30 + - webster.isc.org (webster.isc.org) Tue, 31 May 2011 20:52:09 + Or is it just me seeing this? W On May 31, 2011, at 4:17 PM, Warren Kumari wrote: On May 31, 2011, at 3:22 PM, Kevin Darcy wrote: On 5/31/2011 2:38 PM, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal clients? Internet clients? Some combination of the above? My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? TCP connections or UDP packets? If you're serving authoritative data to Internet clients, then my guess is your firewall simply isn't stateful enough to realize that these are responses to DNS queries that originally came in from Internet clients using those port numbers. Just because they are common IRC ports used by worms/trojans/zombies doesn't preclude them from also being chosen at random as the source ports of incoming queries to your nameserver. Responses go back to the same port from which the query was received. Can you make a distribution of ports and see if it contacts other port numbers with approximately the same frequency? I'm guessing this is just the FW / IDS being helpful W If they're outgoing TCP connections, I'd be worried. Offhand, I can't think of any legitimate reason why named would be trying to TCP-connect to any port other than 53. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
