[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Odd entries in /var/log/messages



On Tue Mar 11 2003 at 09:37, "jim kastner" wrote:

> Content-Type: text/html;
> 	charset="US-ASCII"
> Content-Transfer-Encoding: quoted-printable

Please, no html to mailing lists.  please?

> OS Redhat 7.3 running Named, Samba, IPchains behind Pix 515 firewall.
> 
> I am getting the following entries in bursts of 10 to 20 every couple of
> minutes.  Am I being hacked?

No, these are perfectly "normal".

Well, they are indications of problems, but in that respect they are
not an unusual occurance...

> Mar 11 09:14:38 rhlin1 named[11533]: lame server resolving
> 'arabmail.com' (in 'a rabmail.com'?): 209.1.163.10#53
> Mar 11 09:14:38 rhlin1 named[11533]: lame server resolving
> 'arabmail.com' (in 'a rabmail.com'?): 209.1.163.30#53
> Mar 11 09:14:39 rhlin1 named[11533]: lame server resolving
> 'arabmail.com' (in 'a rabmail.com'?): 209.1.163.10#53
> Mar 11 09:14:39 rhlin1 named[11533]: lame server resolving
> 'arabmail.com' (in 'a rabmail.com'?): 209.1.163.30#53

The problem is not at your end, but with the way the SOA and/or NS
records have been set up for that domain.

Follow the bouncing ball... use /usr/bin/dig and /usr/bin/host to do
some investigating...

For internet DNS purposes, all this is very bad...

$ host -t ns arabmail.com    
Host arabmail.com not found: 2(SERVFAIL)

So that domain (or host) does not exist. (mis-spelt?)

$ host rabmail.com
rabmail.com has address 64.225.154.175
$ host 64.225.154.175
Host 175.154.225.64.in-addr.arpa not found: 3(NXDOMAIN)

The domain "rabmail.com" resolves to an A name for a host.
The reverse lookup on that IP does not resolve to that (or any
other) host.

The name servers for that domain are:

$ host -t ns rabmail.com
rabmail.com name server NS65.WORLDNIC.com.
rabmail.com name server NS66.WORLDNIC.com.

And the MX (mail exchange server) for this domain...

$ host -t mx rabmail.com

... does not exist (ie, it is not used for email purposes).

However:

$ nc -v rabmail.com -z 80
rabmail.com [64.225.154.175] 80 (http) open

So there happens to be a web server at that address.  If you go
there with a browser, you get an asian-looking "under construction"
page.  Which is very strange for the configuration of web server
acting as a "place holder", since it wanted to set some cookies...
it makes you wonder if perhaps there is some other content hidden
behind that default index page.  (who knows?)

The IPs for these hosts are owned by these nameservers:

$ dig 255.168.216.in-addr.arpa ns | sed -n '/ANSWER SE/,/^$/p'
;; ANSWER SECTION:
255.168.216.in-addr.arpa. 86400	IN	NS	NS1.CRSNIC.NET.
255.168.216.in-addr.arpa. 86400	IN	NS	BAY-W1-INF5.VERISIGN.NET.
255.168.216.in-addr.arpa. 86400	IN	NS	GOLDENGATE-W2-INF6.VERISIGN.NET.

Interestingly, there is no SOA for that in-ardr.arpa C class subnet.

The DNS servers for that domain have no reverse lookup:

$ host NS65.WORLDNIC.com 
NS65.WORLDNIC.com has address 216.168.225.205
$ host 216.168.225.205
Host 205.225.168.216.in-addr.arpa not found: 3(NXDOMAIN)
$ host NS66.WORLDNIC.com
NS66.WORLDNIC.com has address 216.168.225.206
$ host 216.168.225.205
Host 205.225.168.216.in-addr.arpa not found: 3(NXDOMAIN)

The servers nominated as SOA (source of authority) for the domain
are:

$ host -t soa rabmail.com                   
rabmail.com SOA NS65.WORLDNIC.com. namehost.WORLDNIC.com. 2002091500 3600 3600 432000 86400
$ host namehost.WORLDNIC.com.
Host namehost.WORLDNIC.com not found: 3(NXDOMAIN)

Oops - now that last one is a very bad problem, as this name server
does not exist!

So there are multiple problems here.

My suspicion is that these IP's (which "belong" to those three name
servers listed above) are being "borrowed" for the purposes of
giving a web server a workable DNS presence on the web.

You could start doing whois queries to find owners and contacts for
these domains, but I wouldn't bother.

So in summary, it is a configuration error due to either sloppy
administation or for deliberate obfuscication purposes. In any case
it illustrates a neat trick for "fly-by-nighters".  (How trivial
would it be to change the IP address of this host and its DNS
servers?  It also makes you wonder if the IPs have been borrowed or
"hijacked").

It is possible to get named to ignore these errors and not log them,
and to ease your concerns and save disk space I think that this is
what you would want to do...

// /etc/named.conf
// ...
logging {
// ...
        category        lame-servers    { null; };
// ...
}
// ...

> Thanks,

Hope this helps.

> Jim Kastner

Cheers
Tony
---*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
 Tony Nugent <Tony*linuxworks.com.au>
 LinuxWorks  Gold Coast Qld Australia





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]