Fedora Linux Support Community & Resources Center
  #1  
Old 10th April 2012, 08:44 PM
zl0ja Offline
Registered User
 
Join Date: Feb 2007
Posts: 5
windows_7opera
just curious

Happens so,that I had plugged a server on the internetz,SL 6 , apache ,it i snot production or critical server,just for fun. as I was showing off to my friends I had to lower my shields ( seriously lowered them,shut down iptables,selinux.. ) .
From this point , one might say I unintentionaly built a honeypot .
Anywayz,I come home from work,I look at the piratebay,and the banner on the bottom of their site has graphic from my server. so I click , and guess what,it opens my localhost
THE piratebay is advertising me,my oh my...well not realy
after checking logs I find no rogue activity.I ping the address.it directs to (guess..) localhost.
I chech config files ,apache,hosts...nothing.
Reboot . everything is the same . wether I ping this jamminringtones.com or put it in the browser...it goes back to 127.0.0.1
If anyone has any clues or sudgestions,I'll try them out.
Thought this would go under servers,but hell,my server is compromised,so I'll stick to security.
Thanx 4 ideas in advance.
Reply With Quote
  #2  
Old 10th April 2012, 11:35 PM
pete_1967 Offline
Clueless in a Cuckooland
 
Join Date: Mar 2006
Location: Here now, elsewhere tomorrow.
Posts: 4,273
linuxfirefox
Re: just curious

Scientific Linux is not Fedora so this belongs to Linux chat.

1st: Disconnect the server from the network
2nd: After done above, come back and someone might bother to suggest other than hope you learned your lesson and reinstall.

Seriously, with the info you've provided, it's impossible to give any further advice.
__________________
A Drink is Not Just For Christmas - SaskyCom :thumb:


“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime” so now go and...
RTFM FIRST: http://docs.fedoraproject.org/ & http://rute.2038bug.com/index.html.gz
Reply With Quote
  #3  
Old 11th April 2012, 12:00 AM
glennzo Online
Un-Retired Administrator
 
Join Date: Mar 2004
Location: Salem, Mass USA
Age: 57
Posts: 14,625
linuxfirefox
Re: just curious

Moved to Linux Chat
Quote:
the place to talk about anything linux-related outside of Fedora
__________________
Glenn
The Bassinator © ®

[SIGPIC][/SIGPIC]
Laptop: Toshiba Satellite / Intel Core 2 Duo 1.73 GHz / 2GB / 160GB / Intel Mobile 945GM/GMS/GME/943/940GML Integrated Graphics
Desktop: BioStar MCP6PB M2+ / AMD Phenom 9750 Quad Core / 4GB / 1TB SATA / 500GB SATA / EVGA GeForce 8400 GS 1GB
Reply With Quote
  #4  
Old 11th April 2012, 12:51 AM
AndrewSerk Offline
Registered User
 
Join Date: Oct 2010
Posts: 889
linuxfirefox
Re: just curious

I agree with Pete's assessment especially since it is a "toy" install.
Remove from the network and reinstall.
You might want to read the security guide (there is a section on Apache): http://docs.redhat.com/docs/en-US/Re...ecurity_Guide/

Hope this helps
Reply With Quote
  #5  
Old 11th April 2012, 05:14 AM
zl0ja Offline
Registered User
 
Join Date: Feb 2007
Posts: 5
unknownopera
Re: just curious

well,my info is a little sketchy.for the time being,I will not reinstall.this is the only anomaly on that system.I monitored it half a day and nothing fishy is going on,eg no remote connections,no rootkit traces.any idea where this could be coming from?I checked all hosts files.where else to look?
Reply With Quote
  #6  
Old 11th April 2012, 08:44 AM
pete_1967 Offline
Clueless in a Cuckooland
 
Join Date: Mar 2006
Location: Here now, elsewhere tomorrow.
Posts: 4,273
linuxfirefox
Re: just curious

Monitored with what? After someone gets root to your box they can, and usually do, replace binaries with their own to make it look like everything is fine and dandy.

Your machine is showing strange behaviour and you have no idea whether it has been compromised or not so all you can do is assume it has been. Leaving it running and network connected is same as handing a crowbar to a burglar after he has emptied your house.

In other words: leaving it connected is grossly irresponsible.
__________________
A Drink is Not Just For Christmas - SaskyCom :thumb:


“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime” so now go and...
RTFM FIRST: http://docs.fedoraproject.org/ & http://rute.2038bug.com/index.html.gz
Reply With Quote
  #7  
Old 12th April 2012, 11:17 AM
zl0ja Offline
Registered User
 
Join Date: Feb 2007
Posts: 5
unknownopera
Re: just curious

I have done grep on the whole system looking for the jamingringtones,I have been monitoring network connections,have checked users for anomalies.I ran rootkit tools on the machine.everything checks out.
no suspicious services are runing,no configurations have been altered.
answer that I am looking for is,where this anomaly could be,which conf file would make my system lookup for jam*.com on localhost.
maybee I am a noob,but I am no fool to leave a threat on the web.
I am just seeking for knowledge.
Reply With Quote
  #8  
Old 12th April 2012, 12:35 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,782
linuxfirefox
Re: just curious

Well.

One way this can happen is by having advertising sites redirected to localhost in the /etc/hosts file. Usually this just generates a 404 error, but it depends on how your web server is configured.
Reply With Quote
  #9  
Old 12th April 2012, 01:26 PM
aleph Offline
Banned (for/from) behaving just like everybody else!
 
Join Date: Jul 2007
Location: Nanjing, China
Posts: 1,332
linuxfirefox
Re: just curious

It could be your box r00ted, or any other box between you and the destination host (thepiratebay) doing fishy things. Someone may be injecting stuff in the HTML traffic or doing DNS hack.

---------- Post added at 08:26 PM ---------- Previous post was at 08:18 PM ----------

I checked a few DNS servers available and every one of them answers the hostname, jamminringtones.com, to be 0.0.0.0. Seems someone borked their DNS settings.

How the 0.0.0.0 address got redirected to your localhost remains curious. If you ping 0.0.0.0, you'll find yourself pinging 127.0.0.1. Is this expected behavior?

EDIT: to answer my own question, maybe yes. I think one of the special meanings of 0.0.0.0 says it should never be a destination on the Internet. Therefore, sending to 0.0.0.0 should result in something safe so that the invalid packets never spill over to other links.

EDIT^2: See this IETF document, RFC 1122: https://tools.ietf.org/html/rfc1122#page-30
Quote:
(a) { 0, 0 }

This host on this network. MUST NOT be sent, except as
a source address as part of an initialization procedure
by which the host learns its own IP address.

See also Section 3.3.6 for a non-standard use of {0,0}.
See also: RFC 1700 https://tools.ietf.org/html/rfc1700#page-4
This stackoverflow post: http://stackoverflow.com/a/923615
__________________
Code:
from rlyeh import cthulhu
cthulhu.fhtagn()

Last edited by aleph; 12th April 2012 at 01:47 PM.
Reply With Quote
  #10  
Old 12th April 2012, 08:02 PM
zl0ja Offline
Registered User
 
Join Date: Feb 2007
Posts: 5
linuxfirefox
Re: just curious

well I have been checking my /var/log/security* files
I often ssh to that machine from work,so I figured if someone had rooted it he'd be in the log.and before anyone says that an attacker would erase himself from the log...well the log is bloated with attempted ssh logins,from various IP's from all acros the world,brasil to china if my little private box gets so manny attacks...well I can just imagine what's with the servers serving actual data.
Anyways as for the /etc/hosts I already stated I have checked all the usual suspects,all the host files check out,chkrootkit and rkhunter report me as clean,I throughly red those ssh logs and found no one but me succesfully logging in.anyways,I decided to close all ports but 80 and 1192,so that I can ssh from work through vpn.
fact remains,this is suspicious behaviour,and I'll keep digging through the system to try and find what the hell is wrong with it.
by the way,ppl r shoutin at me,without anyone pointing me to any usefull procedure in tryng to find out why my machine is behaving this way./etc/hosts* was an obvious starting point,but does anyone have any other clue?maybe some piece of software might be resolving this insted of runing it through dns?

CHECK THIS OUT...
so I am a stubborn guy.I want to see this thing through.I am writing this from a live cd of sl6.1 x86_64,which,when u do this:

[liveuser@livecd ~]$ ping jamminringtones.com

GIVES U THIS:

PING jamminringtones.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.059 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.072 ms
^C
--- jamminringtones.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1534ms
rtt min/avg/max/mdev = 0.059/0.065/0.072/0.010 ms

I believe this abolishes my poor server (so I realy don't see why should I reinstall ),but just to make sure,can someone please try reproducing my problem?

Anyone got any idea why this is happening?
I was so certain that the problem is somwhere inside my local network that I hooked to my neighbors wifi and did this with live cd and I still get the same result.

WTF??

Last edited by zl0ja; 12th April 2012 at 11:09 PM. Reason: updated info
Reply With Quote
  #11  
Old 13th April 2012, 08:20 AM
aleph Offline
Banned (for/from) behaving just like everybody else!
 
Join Date: Jul 2007
Location: Nanjing, China
Posts: 1,332
linuxfirefox
Re: just curious

zl0ja, please read my last post.

tl;dr version: whoever controlling the domain "jamminringtones.com", has fried their DNS server to give the bogus address 0.0.0.0. You can verify this using `dig` or `host` commands. Let's look at the output of dig:

1) One of Google's public DNS servers:
Code:
[cong@localhost ~]$ dig @8.8.8.8 jamminringtones.com

; <<>> DiG 9.8.2rc2-RedHat-9.8.2-0.4.rc2.fc16 <<>> @8.8.8.8 jamminringtones.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49867
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jamminringtones.com.		IN	A

;; ANSWER SECTION:
jamminringtones.com.	1629	IN	A	0.0.0.0

;; Query time: 54 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Apr 13 15:11:21 2012
;; MSG SIZE  rcvd: 53
2) One of OpenDNS' public servers:
Code:
[cong@localhost ~]$ dig @2620:0:ccc::2 jamminringtones.com

; <<>> DiG 9.8.2rc2-RedHat-9.8.2-0.4.rc2.fc16 <<>> @2620:0:ccc::2 jamminringtones.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3409
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jamminringtones.com.		IN	A

;; ANSWER SECTION:
jamminringtones.com.	3600	IN	A	0.0.0.0

;; Query time: 261 msec
;; SERVER: 2620:0:ccc::2#53(2620:0:ccc::2)
;; WHEN: Fri Apr 13 15:12:39 2012
;; MSG SIZE  rcvd: 53
Therefore, when you ping the host, you end up pinging 0.0.0.0. By definition, the 0.0.0.0 address refers to your own host as a destination, therefore you end up sending ping packets to yourself which never leaves the local loopback link.

To summarize, what you see amounts to no evidence of you being hacked.
__________________
Code:
from rlyeh import cthulhu
cthulhu.fhtagn()
Reply With Quote
  #12  
Old 13th April 2012, 12:40 PM
zl0ja Offline
Registered User
 
Join Date: Feb 2007
Posts: 5
unknownopera
Re: just curious

aleph,it was ur post that pointed me in the right directiom.
A+ for U
Reply With Quote
Reply

Tags
curious

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
*Curious TheLK Servers & Networking 3 29th August 2007 05:04 AM
Curious BostonG Security and Privacy 3 26th July 2007 10:23 PM
Just curious... whatwhatwhat Using Fedora 6 9th August 2006 04:57 PM
just curious?? yr2alex Fedora Core 5 - Dev 2 17th February 2006 06:53 PM
Curious.. gq_flippimp Using Fedora 2 20th July 2005 12:01 AM


Current GMT-time: 16:25 (Monday, 28-07-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat