On Tuesday 07 August 2001 12:18 pm, Gustav wrote: > Hi! > > While doing some searching after an imaginary bug on my name-server, I > stumbled across something strange. > I found "named" listening on an undocumented high udp-port. I haven't heard > of this before, so I wondered if one of you geniouses could help me out. My > paranoid side is screaming trojan, but I haven't found any documentation on > the subject. Could anyone point me in the right direction? > > I'm running Bind 8.2.3 on a Linux box with kernel 2.2.16. > > regards > > Gustav named will bind to a random udp port in addition to 53, you can lock this to a specific port by adding "query-source address * port 2048;" to your options in named.conf of course you could pick any port you want. it could still be a trojan, so i would set named to a fixed query source port and see if it binds to that one, if it does, no trojan, if it doesn't you've got one ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 15:40:13 PDT