My FC3 machine appears to be compromised, please help

[Bob Brennan]

On 4/6/06, Les Mikesell <lesmikesell at gmail.com> wrote:
> On Thu, 2006-04-06 at 08:21, Bob Brennan wrote:
> > On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
> > > Bob Brennan wrote:
> > > > On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
> > > >> Somebody has probably changed a DNS entry for theFamily.net so that
> > > >> instead of or as well as A/MX records, there's a:
> > > >>
> > > >> theFamily.net. CNAME wc.funnel.revenuedirect.com.akadns.net.
> > > >>
> > > >> record. Sendmail properly rewrites addresses for @theFamily.net to
> > > >> @wc.funnel.revenuedirect.com.akadns.net during the address
> > > >> canonicalisation stage in this case.
> > > >>
> > > >> Paul.
> > > >
> > > > All of my DNS entries for all of my domains are managed at
> > > > mydomain.com (literally) and I have checked that everything on their
> > > > DNS server is correct and there are no canonical entries. The refused
> > > > email is being delivered correctly to my own server, so their DNS
> > > > records must be correct.
> > > >
> > > > However it is within my own server that things are going wrong. I do
> > > > not have an active DNS server but use the "hosts" file instead. The
> > > > hosts file is accurate and unchanged.
> > > >
> > > > As I said earlier I searched all files in /etc/ for any entries that
> > > > might rewrite anything to or even contain the words
> > > > wc.funnel.revenuedirect.com.akadns.net and found nothing.
> > > >
> > > > Is there any other information I can give or look for that might help
> > > > narrow this down? Or tests I can do? Or clever magical incantation
> > > > command lines I can try?
> > >
> > > Try DNS lookups for your domain on your machine:
> > >
> > > $ dig domain.xxx mx
> > > $ dig theFamily.net mx
> > >
> > > If you gave the real domain name(s) it might help too as we can see what
> > > DNS lookups from outside your network are like.
> > >
> > > Paul.
> >
> > You are correct Paul - the dig command gives:
> >
> > ;; ANSWER SECTION
> > thebrennan.net             56879  IN  CNAME  wc.traffic.puredns.com.
> > wc.traffic.puredns.com  23661  IN  CNAME
> > wc.funnel.revenuedirect.com.akadns.net.
> > wc.funnel.revenuedirect.com.akadns.net.  2  IN  A  69.25.47.165
> > wc.funnel.revenuedirect.com.akadns.net.  2  IN  A  66.150.161.58
> >
> > with similar results for other domains on my server such as
> > mi-server.net. Any ideas as to how to correct this and how it
> > happened?
>
> It is fairly common for ISPs to manage customer domains as
> CNAMES into their own namespaces.  Note that your inbound
> email follows the MX record instead:
>
> ;; QUESTION SECTION:
> ;thebrennan.net.                        IN      MX
>
> ;; ANSWER SECTION:
> thebrennan.net.  2400    IN      MX      0 mail.mi-server.net.
> thebrennan.net.  2400    IN      MX      10 mx1.sitelutions.com.
> thebrennan.net.  2400    IN      MX      20 mx2.sitelutions.com.
>
> On outbound mail, sendmail normally  reverse-resolves its
> interface address to find it's own name.  You can override
> that on the inbound side by providing all the domain names
> it should accept in the /etc/mail/local-host-names file
> and on the outbound side by uncommenting and editing the
> MASQUERADE_AS(`mydomain.com')dnl line in /etc/mail/sendmail.mc.
> Both changes require a restart of sendmail to take effect.
>
> --
>   Les Mikesell
>    lesmikesell at gmail.com

Thanks for that Les. The mail.mi-server.net is the same IP as all of
my domains, I just use it as a generic pointer in case I chop and/or
change other names. Sitelutions is a mail backup service that is
hopefully gathering and saving my email as we speak, well worth the
$1.50/month because even though my FC3 system is fairly watertight
there is no telling how, why, or for how long some lowlife has
compromised Demon's nameservers.

bob