My FC3 machine appears to be compromised, please help
Paul Howarth
paul at city-fan.org
Thu Apr 6 12:29:52 UTC 2006
Bob Brennan wrote:
> On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
>> Somebody has probably changed a DNS entry for theFamily.net so that
>> instead of or as well as A/MX records, there's a:
>>
>> theFamily.net. CNAME wc.funnel.revenuedirect.com.akadns.net.
>>
>> record. Sendmail properly rewrites addresses for @theFamily.net to
>> @wc.funnel.revenuedirect.com.akadns.net during the address
>> canonicalisation stage in this case.
>>
>> Paul.
>
> All of my DNS entries for all of my domains are managed at
> mydomain.com (literally) and I have checked that everything on their
> DNS server is correct and there are no canonical entries. The refused
> email is being delivered correctly to my own server, so their DNS
> records must be correct.
>
> However it is within my own server that things are going wrong. I do
> not have an active DNS server but use the "hosts" file instead. The
> hosts file is accurate and unchanged.
>
> As I said earlier I searched all files in /etc/ for any entries that
> might rewrite anything to or even contain the words
> wc.funnel.revenuedirect.com.akadns.net and found nothing.
>
> Is there any other information I can give or look for that might help
> narrow this down? Or tests I can do? Or clever magical incantation
> command lines I can try?
Try DNS lookups for your domain on your machine:
$ dig domain.xxx mx
$ dig theFamily.net mx
If you gave the real domain name(s) it might help too as we can see what
DNS lookups from outside your network are like.
Paul.
More information about the users
mailing list