just curious

zl0ja · #1 10th April 2012, 08:44 PM

Happens so,that I had plugged a server on the internetz,SL 6 , apache ,it i snot production or critical server,just for fun. as I was showing off to my friends I had to lower my shields ( seriously lowered them,shut down iptables,selinux.. ) .
From this point , one might say I unintentionaly built a honeypot .
Anywayz,I come home from work,I look at the piratebay,and the banner on the bottom of their site has graphic from my server. so I click , and guess what,it opens my localhost

THE piratebay is advertising me,my oh my...well not realy

after checking logs I find no rogue activity.I ping the address.it directs to (guess..) localhost.
I chech config files ,apache,hosts...nothing.
Reboot . everything is the same . wether I ping this jamminringtones.com or put it in the browser...it goes back to 127.0.0.1
If anyone has any clues or sudgestions,I'll try them out.
Thought this would go under servers,but hell,my server is compromised,so I'll stick to security.
Thanx 4 ideas in advance.

pete_1967 · #2 10th April 2012, 11:35 PM

Scientific Linux is not Fedora so this belongs to Linux chat.

1st: Disconnect the server from the network
2nd: After done above, come back and someone might bother to suggest other than hope you learned your lesson and reinstall.

Seriously, with the info you've provided, it's impossible to give any further advice.

***glennzo*** · #3 11th April 2012, 12:00 AM

Moved to Linux Chat

Quote:

the place to talk about anything linux-related outside of Fedora

AndrewSerk · #4 11th April 2012, 12:51 AM

I agree with Pete's assessment especially since it is a "toy" install.
Remove from the network and reinstall.
You might want to read the security guide (there is a section on Apache): http://docs.redhat.com/docs/en-US/Re...ecurity_Guide/

Hope this helps

zl0ja · #5 11th April 2012, 05:14 AM

well,my info is a little sketchy.for the time being,I will not reinstall.this is the only anomaly on that system.I monitored it half a day and nothing fishy is going on,eg no remote connections,no rootkit traces.any idea where this could be coming from?I checked all hosts files.where else to look?

pete_1967 · #6 11th April 2012, 08:44 AM

Monitored with what? After someone gets root to your box they can, and usually do, replace binaries with their own to make it look like everything is fine and dandy.

Your machine is showing strange behaviour and you have no idea whether it has been compromised or not so all you can do is assume it has been. Leaving it running and network connected is same as handing a crowbar to a burglar after he has emptied your house.

In other words: leaving it connected is grossly irresponsible.

zl0ja · #7 12th April 2012, 11:17 AM

I have done grep on the whole system looking for the jamingringtones,I have been monitoring network connections,have checked users for anomalies.I ran rootkit tools on the machine.everything checks out.
no suspicious services are runing,no configurations have been altered.
answer that I am looking for is,where this anomaly could be,which conf file would make my system lookup for jam*.com on localhost.
maybee I am a noob,but I am no fool to leave a threat on the web.
I am just seeking for knowledge.

jpollard · #8 12th April 2012, 12:35 PM

Well.

One way this can happen is by having advertising sites redirected to localhost in the /etc/hosts file. Usually this just generates a 404 error, but it depends on how your web server is configured.

aleph · #9 12th April 2012, 01:26 PM

It could be your box r00ted, or any other box between you and the destination host (thepiratebay) doing fishy things. Someone may be injecting stuff in the HTML traffic or doing DNS hack.

---------- Post added at 08:26 PM ---------- Previous post was at 08:18 PM ----------

I checked a few DNS servers available and every one of them answers the hostname, jamminringtones.com, to be 0.0.0.0. Seems someone borked their DNS settings.

How the 0.0.0.0 address got redirected to your localhost remains curious. If you ping 0.0.0.0, you'll find yourself pinging 127.0.0.1. Is this expected behavior?

EDIT: to answer my own question, maybe yes. I think one of the special meanings of 0.0.0.0 says it should never be a destination on the Internet. Therefore, sending to 0.0.0.0 should result in something safe so that the invalid packets never spill over to other links.

EDIT^2: See this IETF document, RFC 1122: https://tools.ietf.org/html/rfc1122#page-30

Quote:

(a) { 0, 0 }

This host on this network. MUST NOT be sent, except as
a source address as part of an initialization procedure
by which the host learns its own IP address.

See also Section 3.3.6 for a non-standard use of {0,0}.

See also: RFC 1700 https://tools.ietf.org/html/rfc1700#page-4
This stackoverflow post: http://stackoverflow.com/a/923615

zl0ja · #10 12th April 2012, 08:02 PM

well I have been checking my /var/log/security* files
I often ssh to that machine from work,so I figured if someone had rooted it he'd be in the log.and before anyone says that an attacker would erase himself from the log...well the log is bloated with attempted ssh logins,from various IP's from all acros the world,brasil to china

if my little private box gets so manny attacks...well I can just imagine what's with the servers serving actual data.
Anyways as for the /etc/hosts I already stated I have checked all the usual suspects,all the host files check out,chkrootkit and rkhunter report me as clean,I throughly red those ssh logs and found no one but me succesfully logging in.anyways,I decided to close all ports but 80 and 1192,so that I can ssh from work through vpn.
fact remains,this is suspicious behaviour,and I'll keep digging through the system to try and find what the hell is wrong with it.
by the way,ppl r shoutin at me,without anyone pointing me to any usefull procedure in tryng to find out why my machine is behaving this way./etc/hosts* was an obvious starting point,but does anyone have any other clue?maybe some piece of software might be resolving this insted of runing it through dns?

CHECK THIS OUT...
so I am a stubborn guy.I want to see this thing through.I am writing this from a live cd of sl6.1 x86_64,which,when u do this:

[liveuser@livecd ~]$ ping jamminringtones.com

GIVES U THIS:

PING jamminringtones.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.059 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.072 ms
^C
--- jamminringtones.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1534ms
rtt min/avg/max/mdev = 0.059/0.065/0.072/0.010 ms

I believe this abolishes my poor server (so I realy don't see why should I reinstall ),but just to make sure,can someone please try reproducing my problem?

Anyone got any idea why this is happening?
I was so certain that the problem is somwhere inside my local network that I hooked to my neighbors wifi and did this with live cd and I still get the same result.

WTF??

aleph · #11 13th April 2012, 08:20 AM

zl0ja, please read my last post.

tl;dr version: whoever controlling the domain "jamminringtones.com", has fried their DNS server to give the bogus address 0.0.0.0. You can verify this using `dig` or `host` commands. Let's look at the output of dig:

1) One of Google's public DNS servers:

Code:

[cong@localhost ~]$ dig @8.8.8.8 jamminringtones.com

; <<>> DiG 9.8.2rc2-RedHat-9.8.2-0.4.rc2.fc16 <<>> @8.8.8.8 jamminringtones.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49867
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jamminringtones.com.		IN	A

;; ANSWER SECTION:
jamminringtones.com.	1629	IN	A	0.0.0.0

;; Query time: 54 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Apr 13 15:11:21 2012
;; MSG SIZE  rcvd: 53

2) One of OpenDNS' public servers:

Code:

[cong@localhost ~]$ dig @2620:0:ccc::2 jamminringtones.com

; <<>> DiG 9.8.2rc2-RedHat-9.8.2-0.4.rc2.fc16 <<>> @2620:0:ccc::2 jamminringtones.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3409
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jamminringtones.com.		IN	A

;; ANSWER SECTION:
jamminringtones.com.	3600	IN	A	0.0.0.0

;; Query time: 261 msec
;; SERVER: 2620:0:ccc::2#53(2620:0:ccc::2)
;; WHEN: Fri Apr 13 15:12:39 2012
;; MSG SIZE  rcvd: 53

Therefore, when you ping the host, you end up pinging 0.0.0.0. By definition, the 0.0.0.0 address refers to your own host as a destination, therefore you end up sending ping packets to yourself which never leaves the local loopback link.

To summarize, what you see amounts to no evidence of you being hacked.

zl0ja · #12 13th April 2012, 12:40 PM

aleph,it was ur post that pointed me in the right directiom.
A+ for U