Your description of the attack matches my case as well. I haven't yet found another report/post match, so I wanted to share my findings/facts….
At about 2012-03-22 17:45:45 UTC, my server started transmitting ~15Mbps of spoofed UDP/DNS traffic.
UDP any :>1024 --> any:53
I have some NetFlow data, just a small capture… I didn't do much analysis on the destination (anyIP:53)… but it appeared random… not targeted at any of the 13 ish whatever root servers or anything, not that they might not have been mixed in (small sample below). The hack caused a DoS to me, as my ISP uplink is just 10Mbps, but the edge router is running RPF + has ACL's and the spoofed traffic never hit the net.
The server was a small box running FreeBSD 7.2… installed in Sept 2009. Other than taking on a role in my DNS architecture, after another server died, the box wasn't doing too much and being that I was only running SSH, NTP and DNS (BIND 9.4.3-P2)… I (obviously wrongly, lesson learned), assumed the box was not much of an attack vector or target… I wasn't patching/updating it. My GUESS is the attach was against BIND - I still need to do some research, but probably some buffer overflow exploit is my guess. I'm not all that nix/server savvy, so not all sure where to start with that analysis actually.
I suspect the attack could have been via the TCP side of DNS…. but that is pure speculation… only as I haven't done anything on the server, but it hasn't reoccurred (yet). I did put some ACL's around the box so that it can only initiate TCP connections (and they are logged - the box isn't doing anything suspicious there), and NTP and DNS is allowed in from the net (and all ICMP)…. so the box is sheltered from the net of any TCP SYN attempts, etc. The ACL's have isolated the box, and I was hoping to do some analysis, but then the box had a "reboot" command issued (I assume built into the script/binary that was loaded)… and after reboot the binaries remain in the tmp folder, but none of processes are running. The reboot happened at Fri Mar 23 11:47. UTC.
** TIA --- any comments / suggestions / help if very much welcome….
Fact summary:
Infected/hacked at 2012-03-22 17:44UTC
FreeBSD 7.2 release
services running, SSH, telnet (firewalled from net access - only allowed locally, not used - emergency only), BIND (BIND 9.4.3-P2) and NTP
~ 15Mbps of 'random' spoofed UDP traffic to dest port 53 (DNS)
binaries/scripts were running as root -- not sure how (BIND doesn't run as root, root is not allowed remote login, etc)
TCP established connections to 212.112.241.58:81 (I didn't have a method to capture/sniff the traffic)
At about Mar 23 05:27:54.989 UTC I finished isolating the box (ACL's around the box, to allow future analysis on the attack) - this broke the above TCP connections.
Server did a "reboot" on Fri Mar 23 11:47. UTC
Box left as-is since, haven't had time to debug.
I just noticed that sendmail was running… and not sure what TCP 3130 is off-hand. TCP 25 is isolated to only localhost/127.0.0.1. Didn't show up in nmap scans. This is new to me. Possibly the attack point??