Re: My FC3 machine appears to be compromised, please help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/6/06, Paul Howarth <paul@xxxxxxxxxxxx> wrote:
> Bob Brennan wrote:
> > On 4/6/06, Paul Howarth <paul@xxxxxxxxxxxx> wrote:
> >> Bob Brennan wrote:
> >>> On 4/6/06, Paul Howarth <paul@xxxxxxxxxxxx> wrote:
> >>>> Bob Brennan wrote:
> >>>>> On 4/6/06, Paul Howarth <paul@xxxxxxxxxxxx> wrote:
> >>>>>> Somebody has probably changed a DNS entry for theFamily.net so that
> >>>>>> instead of or as well as A/MX records, there's a:
> >>>>>>
> >>>>>> theFamily.net. CNAME wc.funnel.revenuedirect.com.akadns.net.
> >>>>>>
> >>>>>> record. Sendmail properly rewrites addresses for @theFamily.net to
> >>>>>> @wc.funnel.revenuedirect.com.akadns.net during the address
> >>>>>> canonicalisation stage in this case.
> >>>>>>
> >>>>>> Paul.
> >>>>> All of my DNS entries for all of my domains are managed at
> >>>>> mydomain.com (literally) and I have checked that everything on their
> >>>>> DNS server is correct and there are no canonical entries. The refused
> >>>>> email is being delivered correctly to my own server, so their DNS
> >>>>> records must be correct.
> >>>>>
> >>>>> However it is within my own server that things are going wrong. I do
> >>>>> not have an active DNS server but use the "hosts" file instead. The
> >>>>> hosts file is accurate and unchanged.
> >>>>>
> >>>>> As I said earlier I searched all files in /etc/ for any entries that
> >>>>> might rewrite anything to or even contain the words
> >>>>> wc.funnel.revenuedirect.com.akadns.net and found nothing.
> >>>>>
> >>>>> Is there any other information I can give or look for that might help
> >>>>> narrow this down? Or tests I can do? Or clever magical incantation
> >>>>> command lines I can try?
> >>>> Try DNS lookups for your domain on your machine:
> >>>>
> >>>> $ dig domain.xxx mx
> >>>> $ dig theFamily.net mx
> >>>>
> >>>> If you gave the real domain name(s) it might help too as we can see what
> >>>> DNS lookups from outside your network are like.
> >>>>
> >>>> Paul.
> >>> You are correct Paul - the dig command gives:
> >>>
> >>> ;; ANSWER SECTION
> >>> thebrennan.net             56879  IN  CNAME  wc.traffic.puredns.com.
> >>> wc.traffic.puredns.com  23661  IN  CNAME
> >>> wc.funnel.revenuedirect.com.akadns.net.
> >>> wc.funnel.revenuedirect.com.akadns.net.  2  IN  A  69.25.47.165
> >>> wc.funnel.revenuedirect.com.akadns.net.  2  IN  A  66.150.161.58
> >>>
> >>> with similar results for other domains on my server such as
> >>> mi-server.net. Any ideas as to how to correct this and how it
> >>> happened?
> >> This is curious because I don't see these results myself.
> >>
> >> Try doing the "dig" commands with the trace option set:
> >>
> >> $ dig thebrennan.net mx +trace
> >>
> >> Which nameservers are you using? Your ISP's? What are their IP addresses?
> >>
> >> $ cat /etc/resolv.conf
> >>
> >> Paul.
> >
> > [bob@mi-server ~]$ dig thebrennan.net mx +trace
> >
> > ; <<>> DiG 9.2.5 <<>> thebrennan.net mx +trace
> > ;; global options:  printcmd
> > .                       180987  IN      NS      C.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      D.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      E.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      F.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      G.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      H.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      I.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      J.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      K.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      L.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      M.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      A.ROOT-SERVERS.NET.
> > .                       180987  IN      NS      B.ROOT-SERVERS.NET.
> > ;; Received 436 bytes from 158.152.1.58#53(158.152.1.58) in 18 ms
> >
> > net.                    172800  IN      NS      A.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      B.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      C.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      D.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      E.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      F.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      G.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      H.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      I.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      J.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      K.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      L.GTLD-SERVERS.net.
> > net.                    172800  IN      NS      M.GTLD-SERVERS.net.
> > ;; Received 489 bytes from 192.33.4.12#53(C.ROOT-SERVERS.NET) in 105 ms
> >
> > thebrennan.net.         172800  IN      NS      ns1.mydomain.com.
> > thebrennan.net.         172800  IN      NS      ns2.mydomain.com.
> > thebrennan.net.         172800  IN      NS      ns3.mydomain.com.
> > thebrennan.net.         172800  IN      NS      ns4.mydomain.com.
> > ;; Received 180 bytes from 192.5.6.30#53(A.GTLD-SERVERS.net) in 112 ms
> >
> > thebrennan.net.         2400    IN      MX      0 mail.mi-server.net.
> > thebrennan.net.         2400    IN      MX      10 mx1.sitelutions.com.
> > thebrennan.net.         2400    IN      MX      20 mx2.sitelutions.com.
> > thebrennan.net.         86400   IN      NS      ns1.mydomain.com.
> > thebrennan.net.         86400   IN      NS      ns2.mydomain.com.
> > thebrennan.net.         86400   IN      NS      ns3.mydomain.com.
> > thebrennan.net.         86400   IN      NS      ns4.mydomain.com.
> > ;; Received 279 bytes from 64.94.117.195#53(ns1.mydomain.com) in 170 ms
>
> This is the correct (and expected) response.
>
> > [bob@mi-server ~]$ cat /etc/resolv.conf
> > ; generated by /sbin/dhclient-script
> > search com
> > nameserver 158.152.1.58
> > nameserver 158.152.1.43
> > [bob@mi-server ~]$
>
> These are Demon's nameservers, and they're refusing access to me
> (presumably because I'm not their customer, which is fair enough).
>
> Try asking them directly:
>
> $ dig @158.152.1.58 thebrennan.net mx
> $ dig @158.152.1.43 thebrennan.net mx
>
> If those servers are returning the bogus results, I would:
>
> (a) complain to Demon, and
> (b) run my own nameserver (you could use the caching-nameserver
> package), and use that instead of the Demon ones
>
> Paul.

Hi Paul - after many hours on the phone with Demon it is in fact CNAME
entries that are on their caching nameservers and not on my
authoritative server that I control. It took that long to find someone
that cared enough to say "I will flush the entries for you and I am
worried how someone could do that to our servers". M$ servers, I might
add, and did.

Thanks for your help, and mostly for not assuming it was me that
screwed up but rather helped me track down the true source, or at
least pass it on to Demon to figure how their own systems were
compromised.

Thanks again,
bob


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux