Re: My FC3 machine appears to be compromised, please help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bob Brennan wrote:
On 4/6/06, Paul Howarth <[email protected]> wrote:
Bob Brennan wrote:
On 4/6/06, Paul Howarth <[email protected]> wrote:
Somebody has probably changed a DNS entry for theFamily.net so that
instead of or as well as A/MX records, there's a:

theFamily.net. CNAME wc.funnel.revenuedirect.com.akadns.net.

record. Sendmail properly rewrites addresses for @theFamily.net to
@wc.funnel.revenuedirect.com.akadns.net during the address
canonicalisation stage in this case.

Paul.
All of my DNS entries for all of my domains are managed at
mydomain.com (literally) and I have checked that everything on their
DNS server is correct and there are no canonical entries. The refused
email is being delivered correctly to my own server, so their DNS
records must be correct.

However it is within my own server that things are going wrong. I do
not have an active DNS server but use the "hosts" file instead. The
hosts file is accurate and unchanged.

As I said earlier I searched all files in /etc/ for any entries that
might rewrite anything to or even contain the words
wc.funnel.revenuedirect.com.akadns.net and found nothing.

Is there any other information I can give or look for that might help
narrow this down? Or tests I can do? Or clever magical incantation
command lines I can try?
Try DNS lookups for your domain on your machine:

$ dig domain.xxx mx
$ dig theFamily.net mx

If you gave the real domain name(s) it might help too as we can see what
DNS lookups from outside your network are like.

Paul.
You are correct Paul - the dig command gives:

;; ANSWER SECTION
thebrennan.net             56879  IN  CNAME  wc.traffic.puredns.com.
wc.traffic.puredns.com 23661 IN CNAME wc.funnel.revenuedirect.com.akadns.net.
wc.funnel.revenuedirect.com.akadns.net.  2  IN  A  69.25.47.165
wc.funnel.revenuedirect.com.akadns.net.  2  IN  A  66.150.161.58

with similar results for other domains on my server such as
mi-server.net. Any ideas as to how to correct this and how it
happened?
This is curious because I don't see these results myself.

Try doing the "dig" commands with the trace option set:

$ dig thebrennan.net mx +trace

Which nameservers are you using? Your ISP's? What are their IP addresses?

$ cat /etc/resolv.conf

Paul.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux