Some A records are added to DNS zones !!
I have found that some A records are added to DNS zones. Since it is in ISPConfig database, I thought this is a security issue related to ISPConfig. How can someone enter alter DNS information, how can I prevent further hacking.
the records are as follows (from mysql database)
(every A record is for different zones)
31479487.dns A 18.104.22.168
31504658.dns A 22.214.171.124
31260648.dns A 126.96.36.199
31479967.dns A 188.8.131.52
31405315.dns A 184.108.40.206
31393250.dns A 220.127.116.11
34241653.dns A 18.104.22.168
32731648.dns A 22.214.171.124
31333008.dns A 126.96.36.199
I'am not aware yet of any such issue in ispconfig. It might be that someone just got access to the mysql database or that someone knows the password of a admin, client or reseller account of your ispconfig installation and used that to add the data.
Is the dns module enabled for any of your clients or resellers in ispconfig or do you manage the dns records for your clients?
Is the target IP address of the A-Records one of your servers?
You can try to find out when the records got added by looking into the sys_datalog table in the ispconfig database, this table conatains all configuration transactions.
And oone more question, which ISPConfig version do you use and which Linux Distribution and have you added any remote users in ispconfig?
I use ubuntu 11.10 and ISPConfig 188.8.131.52
I manage DNS records for customers.
there is one remote user for integration, but it is only used by local CMS in server.
Server does not use SSL connection for ISPConfig.
the target IP address does not belong to my servers. I haven't used them before.
I erased all suspicous A records from panel. and changed admin password. However I am not comfortable enough to say that everything is secure.
I executed following query in sys_datalog and it does not return results for modifiying A records
SELECT * FROM `sys_datalog` where `data` like '%184.108.40.206%'
it just show delete actions, done by me.
Ok, then the records have either been added more then 30 days ago as the log keeps only records forbthis timespan or they have been added trough a direct mysql access and not trogh the ispconfig interface as ispconfig creates a datalog record for every change as you have seen for your delete actions.
thanks for your help. I will investigate for source of the issue.
|All times are GMT +2. The time now is 16:22.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.