| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4EAC0846.60400@wenks.ch> Date: Sat, 29 Oct 2011 16:05:58 +0200 From: Fabian Wenk <fabian@...ks.ch> To: full-disclosure@...ts.grok.org.uk Subject: Re: bind-9.8.1 remote code exec exploit? Hello On 29.10.2011 15:34, nix@...roxylists.com wrote: > I've source compile of BIND 9.8.1 on the server. Is this bind server used as authoritative server for some DNS domains? Or does your configuration allow to be queried from the whole internet for resolving? > I've been investigating weird iptables messages as follows: > > Oct 29 14:53:13 NIX kernel: IN= OUT=eth0 SRC=MY_SERVER_IP DST=62.80.128.29 > LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=31795 PROTO=UDP SPT=53 DPT=5060 > LEN=94 > > I received a message from my ISP abuse that my server is scanning SIP port > 5060 and I set the firewall rule to deny/log all UDP connections out of > the box to port 5060 to get timestamps for further investigation. This > happened before I set the firewall rule. For me this above log messages looks like a regular answer from your DNS server to the client (or a resolving DNS server) running on the destination IP address. A DNS request runs like this: A client (or resolving DNS server) does a query through UDP from his source port 5060 (could be any other random port) to the server on port 53. As UDP is connectionless, the server is sending the answer back from his UDP port 53 to the destination port 5060. bye Fabian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists