Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 19th October 2012, 14:19
bkilinc bkilinc is offline
Junior Member
 
Join Date: Mar 2012
Posts: 29
Thanks: 8
Thanked 2 Times in 2 Posts
Default Some A records are added to DNS zones !!

I have found that some A records are added to DNS zones. Since it is in ISPConfig database, I thought this is a security issue related to ISPConfig. How can someone enter alter DNS information, how can I prevent further hacking.

the records are as follows (from mysql database)
(every A record is for different zones)
31479487.dns A 67.15.35.113
31504658.dns A 67.15.35.113
31260648.dns A 67.15.35.113
31479967.dns A 67.15.35.113
31405315.dns A 67.15.35.113
31393250.dns A 67.15.35.113
34241653.dns A 67.15.35.113
32731648.dns A 67.15.35.113
31333008.dns A 67.15.35.113
Reply With Quote
Sponsored Links
  #2  
Old 19th October 2012, 15:05
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

I'am not aware yet of any such issue in ispconfig. It might be that someone just got access to the mysql database or that someone knows the password of a admin, client or reseller account of your ispconfig installation and used that to add the data.

Is the dns module enabled for any of your clients or resellers in ispconfig or do you manage the dns records for your clients?

Is the target IP address of the A-Records one of your servers?

You can try to find out when the records got added by looking into the sys_datalog table in the ispconfig database, this table conatains all configuration transactions.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 19th October 2012, 15:08
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

And oone more question, which ISPConfig version do you use and which Linux Distribution and have you added any remote users in ispconfig?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 19th October 2012, 15:34
bkilinc bkilinc is offline
Junior Member
 
Join Date: Mar 2012
Posts: 29
Thanks: 8
Thanked 2 Times in 2 Posts
Default

I use ubuntu 11.10 and ISPConfig 3.0.4.6

I manage DNS records for customers.

there is one remote user for integration, but it is only used by local CMS in server.

Server does not use SSL connection for ISPConfig.

the target IP address does not belong to my servers. I haven't used them before.

I erased all suspicous A records from panel. and changed admin password. However I am not comfortable enough to say that everything is secure.
Reply With Quote
  #5  
Old 19th October 2012, 15:36
bkilinc bkilinc is offline
Junior Member
 
Join Date: Mar 2012
Posts: 29
Thanks: 8
Thanked 2 Times in 2 Posts
Default

I executed following query in sys_datalog and it does not return results for modifiying A records

SELECT * FROM `sys_datalog` where `data` like '%67.15.35.113%'

it just show delete actions, done by me.
Reply With Quote
  #6  
Old 19th October 2012, 18:54
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Ok, then the records have either been added more then 30 days ago as the log keeps only records forbthis timespan or they have been added trough a direct mysql access and not trogh the ispconfig interface as ispconfig creates a datalog record for every change as you have seen for your delete actions.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
bkilinc (20th October 2012)
  #7  
Old 20th October 2012, 08:52
bkilinc bkilinc is offline
Junior Member
 
Join Date: Mar 2012
Posts: 29
Thanks: 8
Thanked 2 Times in 2 Posts
 
Default

thanks for your help. I will investigate for source of the issue.
Reply With Quote
Reply

Bookmarks

Tags
security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Availability to configure 'advanced' DNS zone file 'resource records' using IPConfig Argonaut General 1 25th April 2010 09:52
Ubuntu Server, ISPConfig, Domain name, and problems NYCSavage Server Operation 5 27th November 2009 17:45
Google Apps dayjahone General 19 29th March 2008 17:25
network issues now it says "401 The web site is blocked by administrator" Check General 3 26th February 2008 14:22
ISPConfig 2.3.2-dev released till General 9 4th June 2007 10:46


All times are GMT +2. The time now is 08:51.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.