From owner-freebsd-security Mon Jul 24 11:48:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id E28A137BD07 for ; Mon, 24 Jul 2000 11:48:14 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 33755 invoked by uid 1001); 24 Jul 2000 18:48:11 +0000 (GMT) To: Gerhard.Sittig@gmx.net Cc: security@freebsd.org Subject: Re: What does this mean and how do I stop it ? From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 24 Jul 2000 19:29:15 +0200" References: <20000724192915.Z24476@speedy.gsinet> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 24 Jul 2000 20:48:11 +0200 Message-ID: <33753.964464491@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > These entries appear frequently in the daily security report of > > a FreeBSD 4.0-RELEASE machine (Bind 8.2.x) > > > > > Connection attempt to UDP 127.0.0.1:2343 from 127.0.0.1:53 > > I don't care if everybody's telling you it's DNS *lookup* -- I > feel this is something different, since it's going *from* port 53 > *to* something random(?). It's the *answer* to a DNS query (lookup). The answer came so late that the DNS client (probably the resolver routines linked into the application) had already closed the UDP socket in question - thus there's nobody listening there. To me this was already implied from the previous messages in this thread... Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message