My FC3 machine appears to be compromised, please help

Paul Howarth paul at city-fan.org
Thu Apr 6 13:28:13 UTC 2006 

Bob Brennan wrote:
> On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
>> Bob Brennan wrote:
>>> On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
>>>> Somebody has probably changed a DNS entry for theFamily.net so that
>>>> instead of or as well as A/MX records, there's a:
>>>>
>>>> theFamily.net. CNAME wc.funnel.revenuedirect.com.akadns.net.
>>>>
>>>> record. Sendmail properly rewrites addresses for @theFamily.net to
>>>> @wc.funnel.revenuedirect.com.akadns.net during the address
>>>> canonicalisation stage in this case.
>>>>
>>>> Paul.
>>> All of my DNS entries for all of my domains are managed at
>>> mydomain.com (literally) and I have checked that everything on their
>>> DNS server is correct and there are no canonical entries. The refused
>>> email is being delivered correctly to my own server, so their DNS
>>> records must be correct.
>>>
>>> However it is within my own server that things are going wrong. I do
>>> not have an active DNS server but use the "hosts" file instead. The
>>> hosts file is accurate and unchanged.
>>>
>>> As I said earlier I searched all files in /etc/ for any entries that
>>> might rewrite anything to or even contain the words
>>> wc.funnel.revenuedirect.com.akadns.net and found nothing.
>>>
>>> Is there any other information I can give or look for that might help
>>> narrow this down? Or tests I can do? Or clever magical incantation
>>> command lines I can try?
>> Try DNS lookups for your domain on your machine:
>>
>> $ dig domain.xxx mx
>> $ dig theFamily.net mx
>>
>> If you gave the real domain name(s) it might help too as we can see what
>> DNS lookups from outside your network are like.
>>
>> Paul.
> 
> You are correct Paul - the dig command gives:
> 
> ;; ANSWER SECTION
> thebrennan.net             56879  IN  CNAME  wc.traffic.puredns.com.
> wc.traffic.puredns.com  23661  IN  CNAME 
> wc.funnel.revenuedirect.com.akadns.net.
> wc.funnel.revenuedirect.com.akadns.net.  2  IN  A  69.25.47.165
> wc.funnel.revenuedirect.com.akadns.net.  2  IN  A  66.150.161.58
> 
> with similar results for other domains on my server such as
> mi-server.net. Any ideas as to how to correct this and how it
> happened?

This is curious because I don't see these results myself.

Try doing the "dig" commands with the trace option set:

$ dig thebrennan.net mx +trace

Which nameservers are you using? Your ISP's? What are their IP addresses?

$ cat /etc/resolv.conf

Paul.

More information about the fedora-list mailing list