HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Some A records are added to DNS zones !! (http://www.howtoforge.com/forums/showthread.php?t=59151)

bkilinc 19th October 2012 15:19

Some A records are added to DNS zones !!
 
I have found that some A records are added to DNS zones. Since it is in ISPConfig database, I thought this is a security issue related to ISPConfig. How can someone enter alter DNS information, how can I prevent further hacking.

the records are as follows (from mysql database)
(every A record is for different zones)
31479487.dns A 67.15.35.113
31504658.dns A 67.15.35.113
31260648.dns A 67.15.35.113
31479967.dns A 67.15.35.113
31405315.dns A 67.15.35.113
31393250.dns A 67.15.35.113
34241653.dns A 67.15.35.113
32731648.dns A 67.15.35.113
31333008.dns A 67.15.35.113

till 19th October 2012 16:05

I'am not aware yet of any such issue in ispconfig. It might be that someone just got access to the mysql database or that someone knows the password of a admin, client or reseller account of your ispconfig installation and used that to add the data.

Is the dns module enabled for any of your clients or resellers in ispconfig or do you manage the dns records for your clients?

Is the target IP address of the A-Records one of your servers?

You can try to find out when the records got added by looking into the sys_datalog table in the ispconfig database, this table conatains all configuration transactions.

till 19th October 2012 16:08

And oone more question, which ISPConfig version do you use and which Linux Distribution and have you added any remote users in ispconfig?

bkilinc 19th October 2012 16:34

I use ubuntu 11.10 and ISPConfig 3.0.4.6

I manage DNS records for customers.

there is one remote user for integration, but it is only used by local CMS in server.

Server does not use SSL connection for ISPConfig.

the target IP address does not belong to my servers. I haven't used them before.

I erased all suspicous A records from panel. and changed admin password. However I am not comfortable enough to say that everything is secure.

bkilinc 19th October 2012 16:36

I executed following query in sys_datalog and it does not return results for modifiying A records

SELECT * FROM `sys_datalog` where `data` like '%67.15.35.113%'

it just show delete actions, done by me.

till 19th October 2012 19:54

Ok, then the records have either been added more then 30 days ago as the log keeps only records forbthis timespan or they have been added trough a direct mysql access and not trogh the ispconfig interface as ispconfig creates a datalog record for every change as you have seen for your delete actions.

bkilinc 20th October 2012 09:52

thanks for your help. I will investigate for source of the issue.


All times are GMT +2. The time now is 20:22.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.