My FC3 machine appears to be compromised, please help
Paul Howarth
paul at city-fan.org
Thu Apr 6 13:49:24 UTC 2006
Bob Brennan wrote:
> On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
>> Bob Brennan wrote:
>>> On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
>>>> Bob Brennan wrote:
>>>>> On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
>>>>>> Somebody has probably changed a DNS entry for theFamily.net so that
>>>>>> instead of or as well as A/MX records, there's a:
>>>>>>
>>>>>> theFamily.net. CNAME wc.funnel.revenuedirect.com.akadns.net.
>>>>>>
>>>>>> record. Sendmail properly rewrites addresses for @theFamily.net to
>>>>>> @wc.funnel.revenuedirect.com.akadns.net during the address
>>>>>> canonicalisation stage in this case.
>>>>>>
>>>>>> Paul.
>>>>> All of my DNS entries for all of my domains are managed at
>>>>> mydomain.com (literally) and I have checked that everything on their
>>>>> DNS server is correct and there are no canonical entries. The refused
>>>>> email is being delivered correctly to my own server, so their DNS
>>>>> records must be correct.
>>>>>
>>>>> However it is within my own server that things are going wrong. I do
>>>>> not have an active DNS server but use the "hosts" file instead. The
>>>>> hosts file is accurate and unchanged.
>>>>>
>>>>> As I said earlier I searched all files in /etc/ for any entries that
>>>>> might rewrite anything to or even contain the words
>>>>> wc.funnel.revenuedirect.com.akadns.net and found nothing.
>>>>>
>>>>> Is there any other information I can give or look for that might help
>>>>> narrow this down? Or tests I can do? Or clever magical incantation
>>>>> command lines I can try?
>>>> Try DNS lookups for your domain on your machine:
>>>>
>>>> $ dig domain.xxx mx
>>>> $ dig theFamily.net mx
>>>>
>>>> If you gave the real domain name(s) it might help too as we can see what
>>>> DNS lookups from outside your network are like.
>>>>
>>>> Paul.
>>> You are correct Paul - the dig command gives:
>>>
>>> ;; ANSWER SECTION
>>> thebrennan.net 56879 IN CNAME wc.traffic.puredns.com.
>>> wc.traffic.puredns.com 23661 IN CNAME
>>> wc.funnel.revenuedirect.com.akadns.net.
>>> wc.funnel.revenuedirect.com.akadns.net. 2 IN A 69.25.47.165
>>> wc.funnel.revenuedirect.com.akadns.net. 2 IN A 66.150.161.58
>>>
>>> with similar results for other domains on my server such as
>>> mi-server.net. Any ideas as to how to correct this and how it
>>> happened?
>> This is curious because I don't see these results myself.
>>
>> Try doing the "dig" commands with the trace option set:
>>
>> $ dig thebrennan.net mx +trace
>>
>> Which nameservers are you using? Your ISP's? What are their IP addresses?
>>
>> $ cat /etc/resolv.conf
>>
>> Paul.
>
> [bob at mi-server ~]$ dig thebrennan.net mx +trace
>
> ; <<>> DiG 9.2.5 <<>> thebrennan.net mx +trace
> ;; global options: printcmd
> . 180987 IN NS C.ROOT-SERVERS.NET.
> . 180987 IN NS D.ROOT-SERVERS.NET.
> . 180987 IN NS E.ROOT-SERVERS.NET.
> . 180987 IN NS F.ROOT-SERVERS.NET.
> . 180987 IN NS G.ROOT-SERVERS.NET.
> . 180987 IN NS H.ROOT-SERVERS.NET.
> . 180987 IN NS I.ROOT-SERVERS.NET.
> . 180987 IN NS J.ROOT-SERVERS.NET.
> . 180987 IN NS K.ROOT-SERVERS.NET.
> . 180987 IN NS L.ROOT-SERVERS.NET.
> . 180987 IN NS M.ROOT-SERVERS.NET.
> . 180987 IN NS A.ROOT-SERVERS.NET.
> . 180987 IN NS B.ROOT-SERVERS.NET.
> ;; Received 436 bytes from 158.152.1.58#53(158.152.1.58) in 18 ms
>
> net. 172800 IN NS A.GTLD-SERVERS.net.
> net. 172800 IN NS B.GTLD-SERVERS.net.
> net. 172800 IN NS C.GTLD-SERVERS.net.
> net. 172800 IN NS D.GTLD-SERVERS.net.
> net. 172800 IN NS E.GTLD-SERVERS.net.
> net. 172800 IN NS F.GTLD-SERVERS.net.
> net. 172800 IN NS G.GTLD-SERVERS.net.
> net. 172800 IN NS H.GTLD-SERVERS.net.
> net. 172800 IN NS I.GTLD-SERVERS.net.
> net. 172800 IN NS J.GTLD-SERVERS.net.
> net. 172800 IN NS K.GTLD-SERVERS.net.
> net. 172800 IN NS L.GTLD-SERVERS.net.
> net. 172800 IN NS M.GTLD-SERVERS.net.
> ;; Received 489 bytes from 192.33.4.12#53(C.ROOT-SERVERS.NET) in 105 ms
>
> thebrennan.net. 172800 IN NS ns1.mydomain.com.
> thebrennan.net. 172800 IN NS ns2.mydomain.com.
> thebrennan.net. 172800 IN NS ns3.mydomain.com.
> thebrennan.net. 172800 IN NS ns4.mydomain.com.
> ;; Received 180 bytes from 192.5.6.30#53(A.GTLD-SERVERS.net) in 112 ms
>
> thebrennan.net. 2400 IN MX 0 mail.mi-server.net.
> thebrennan.net. 2400 IN MX 10 mx1.sitelutions.com.
> thebrennan.net. 2400 IN MX 20 mx2.sitelutions.com.
> thebrennan.net. 86400 IN NS ns1.mydomain.com.
> thebrennan.net. 86400 IN NS ns2.mydomain.com.
> thebrennan.net. 86400 IN NS ns3.mydomain.com.
> thebrennan.net. 86400 IN NS ns4.mydomain.com.
> ;; Received 279 bytes from 64.94.117.195#53(ns1.mydomain.com) in 170 ms
This is the correct (and expected) response.
> [bob at mi-server ~]$ cat /etc/resolv.conf
> ; generated by /sbin/dhclient-script
> search com
> nameserver 158.152.1.58
> nameserver 158.152.1.43
> [bob at mi-server ~]$
These are Demon's nameservers, and they're refusing access to me
(presumably because I'm not their customer, which is fair enough).
Try asking them directly:
$ dig @158.152.1.58 thebrennan.net mx
$ dig @158.152.1.43 thebrennan.net mx
If those servers are returning the bogus results, I would:
(a) complain to Demon, and
(b) run my own nameserver (you could use the caching-nameserver
package), and use that instead of the Demon ones
Paul.
More information about the users
mailing list