Has my fedora 18 installation been hacked?

agraham agraham at g-b.net
Fri Mar 15 10:20:04 UTC 2013


First, whois 216.82.176.7

216.82.176.7 belongs to a bank in the US https://www.53.com/

I don't know if it's a real bank or what?

$ whois 216.82.176.7

The last part of your ISPs message is interesting because it says:
"packet length 1400 bytes exceeds configured limit of 512 bytes"

So something is sending excessively large UDP packets to the bank via 
port 53.

This may just be DNSSEC EDNS0 protocol which is being blocked by your 
ISP's firewall.

But in this case, 53.com does not support DNSSEC (never just a bank!)

It would be good if you could ask your ISP for a packet capture (say in 
pcap format) which you could analyze off line.


Al.

On 03/15/2013 09:05 AM, Georgios Petasis wrote:
> Hi all,
>
> I have a small server that I have recently upgraded to fedora 18. After
> a while, I got notified by
> the provider that their firewall catches thousands of requests, with the
> following error message:
>
> *Source IP*: ellogon-SKEL
> *Source Port*: 35442
> *Destination IP*: 216.82.176.7
> *Destination Port*: 53
> *Description*: Dropped UDP DNS request from dmz:ellogon-SKEL/35442 to
> outside:216.82.176.7/53; packet length 1400 bytes exceeds configured
> limit of 512 bytes
>
> I have verified all packages (with rpm -Va), and didn't see anything
> strange.
>
> It is strange that the machine is trying to contact a server in USA,
> isn't it?
>
> Is there anything else to do, than re-installing the machine?
>
> (Unfortunately, due to the huge load it creates to their firewall, they
> remove the network cord from the server, so I have a few hours to debug
> this...)
>
> George
>



More information about the users mailing list