[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Strange named behaviour
- Subject: Re: [cobalt-users] Strange named behaviour
- From: flash22@xxxxxxx
- Date: Thu Apr 19 04:26:05 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Thu, 19 Apr 2001, Denis Bystruev wrote:
> Hello,
>
> I noticed a lot of inbound traffic on my RaQ 4
> (http://www.rackshack.net/bandwidth/workdir1/216.40.212.243_13.html) and
> while searhing for the one responsible I found that named asks for PTR
> record every few seconds (my server is 99servers.com):
>
> 13:03:09.691424 www.99servers.com.1046 > ns1.ev1.net.domain: 53379+ PTR?
> 124.212.40.216.in-addr.arpa. (45)
> 13:03:09.691981 ns1.ev1.net.domain > www.99servers.com.1046: 53379 ServFail
> 0/0/0 (45)
> 13:03:09.692114 www.99servers.com.1046 > ns2.ev1.net.domain: 53379+ PTR?
> 124.212.40.216.in-addr.arpa. (45)
> 13:03:09.692555 ns2.ev1.net.domain > www.99servers.com.1046: 53379 ServFail
> 0/0/0 (45)
>
> Is it normal?
well, you aren't answering any in-addr queries, so whatever is asking is
gonna retry forever....
Authoritative answers can be found from:
212.40.216.in-addr.arpa nameserver = NS1.EV1.NET
*** ns1.ev1.net can't find 124.212.40.216.in-addr.arpa:
>
> Also I can't stop named. '/etc/rc.d/init.d/named stop' does not stop it, I
> still can see it running with ps ax.
>
> Did someone hacked me?
kinda looks like a maybe, ps e [pidofnamed] , see what directory it's
running from....(and user ?)
possible all that inbound traffic was a password attack?
gsh