Some A records are added to DNS zones !!

Discussion in 'General' started by bkilinc, Oct 19, 2012.

  1. bkilinc

    bkilinc Member

    I have found that some A records are added to DNS zones. Since it is in ISPConfig database, I thought this is a security issue related to ISPConfig. How can someone enter alter DNS information, how can I prevent further hacking.

    the records are as follows (from mysql database)
    (every A record is for different zones)
    31479487.dns A 67.15.35.113
    31504658.dns A 67.15.35.113
    31260648.dns A 67.15.35.113
    31479967.dns A 67.15.35.113
    31405315.dns A 67.15.35.113
    31393250.dns A 67.15.35.113
    34241653.dns A 67.15.35.113
    32731648.dns A 67.15.35.113
    31333008.dns A 67.15.35.113
     
  2. till

    till Super Moderator

    I'am not aware yet of any such issue in ispconfig. It might be that someone just got access to the mysql database or that someone knows the password of a admin, client or reseller account of your ispconfig installation and used that to add the data.

    Is the dns module enabled for any of your clients or resellers in ispconfig or do you manage the dns records for your clients?

    Is the target IP address of the A-Records one of your servers?

    You can try to find out when the records got added by looking into the sys_datalog table in the ispconfig database, this table conatains all configuration transactions.
     
  3. till

    till Super Moderator

    And oone more question, which ISPConfig version do you use and which Linux Distribution and have you added any remote users in ispconfig?
     
  4. bkilinc

    bkilinc Member

    I use ubuntu 11.10 and ISPConfig 3.0.4.6

    I manage DNS records for customers.

    there is one remote user for integration, but it is only used by local CMS in server.

    Server does not use SSL connection for ISPConfig.

    the target IP address does not belong to my servers. I haven't used them before.

    I erased all suspicous A records from panel. and changed admin password. However I am not comfortable enough to say that everything is secure.
     
  5. bkilinc

    bkilinc Member

    I executed following query in sys_datalog and it does not return results for modifiying A records

    SELECT * FROM `sys_datalog` where `data` like '%67.15.35.113%'

    it just show delete actions, done by me.
     
  6. till

    till Super Moderator

    Ok, then the records have either been added more then 30 days ago as the log keeps only records forbthis timespan or they have been added trough a direct mysql access and not trogh the ispconfig interface as ispconfig creates a datalog record for every change as you have seen for your delete actions.
     
  7. bkilinc

    bkilinc Member

    thanks for your help. I will investigate for source of the issue.
     
: security

Share This Page