[CentOS] bind (named) compromised?
Peter Eckel
lists at eckel-edv.de
Sun Feb 9 20:55:04 UTC 2014
Hi James,
you seem to be running an open DNS resolver, is that correct? And if so, do you do it intentionally?
I just received an US-CERT alert today that warns about ongoing amplification attacks, among others against DNS, but also against some other UDP based services.
<https://www.us-cert.gov/ncas/alerts/TA14-017A>
From the symptoms you describe I'd say that your DNS server is being used in such an attack.
> I also see a chroot directory, but if I grep for named it doesn't appear
> to be using the chroot(?):
> # ps aux | grep named
> named 3497 0.4 0.7 170088 15836 ? Ssl 23:02 0:02
> /usr/sbin/named -u named
> root 3763 0.0 0.0 61192 764 pts/1 S+ 23:13 0:00 grep named
Do you have the bind-chroot package installed?
Best regards,
Peter.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.centos.org/pipermail/centos/attachments/20140209/d30437e4/attachment.sig>
More information about the CentOS
mailing list