Re: localhost resolves to wrong IP?
From: Jonathan (jonathan_at_bakerbates.SPAMGONE.com)
Date: 11/29/03
- Next message: Naota: "Re: Can't send mail with mutt, using sendmail. TIA"
- Previous message: Praveen: "Re: Changing the IP address progrmmatically."
- In reply to: Michael Heiming: "Re: localhost resolves to wrong IP?"
- Next in thread: David: "Re: localhost resolves to wrong IP?"
- Reply: David: "Re: localhost resolves to wrong IP?"
- Reply: Jonathan: "Re: localhost resolves to wrong IP?"
- Reply: ynotssor: "Re: localhost resolves to wrong IP?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 29 Nov 2003 13:07:22 -0000
> So this IP is in /etc/resolv.conf? Sounds as if you have been
> rooted.
No, it's not in resolv.conf. It's not in any system config file at all.
We've recursively grepped /var/named, and all of /etc. We've run chkrootkit
from a CD using trusted binaries, and we run an md5sum check (database on a
write-protected floppy) on all system binaries and important config files
(like resolv.conf) every 10mins. No sign of any rooting we can tell.
Jonathan
"Michael Heiming" <michael+USENET@www.heiming.de> wrote in message
news:d2k9qb.eg5.ln@news.heiming.de...
> Jonathan <jonathan@bakerbates.spamgone.com> wrote:
> > Hi - we're using a standard install of RedHat 7.3 i386.
>
> > About 12 hours ago or so ago, several services on our machine stopped
> > working. Further investigation showed that localhost is resolving to the
> > wrong IP address - instead of 127.0.0.1 it thinks it's 203.210.212.24,
which
> > is nothing to do with us, it isn't even on our ISP's netblock.
>
> > /etc/hosts shows:
>
> > 127.0.0.1 localhost.localdomain localhost
>
> > and /etc/host.conf:
>
> > order hosts,bind
>
> > The machine is running a name server, but it's not querying it any
more -
> > it's trying to ask this other IP, and that's not pinging.
>
> So this IP is in /etc/resolv.conf? Sounds as if you have been
> rooted. Is your box patched with all patches available for RH
> 7.3?
>
> > Anyone any ideas as to how this might be happening, and what we can do
to
> > get it back to normal?
>
> If you have been cracked, which sounds reasonable, read the cols
> FAQ and reinstall your system from scratch:
>
> http://www.linuxsecurity.com/docs/colsfaq.html
>
> 5.5) I've been compromised, what should I do?
>
> Good luck
>
> --
> Michael Heiming
>
> Remove +SIGNS and www. if you expect an answer, sorry for
> inconvenience, but I get tons of SPAM
- Next message: Naota: "Re: Can't send mail with mutt, using sendmail. TIA"
- Previous message: Praveen: "Re: Changing the IP address progrmmatically."
- In reply to: Michael Heiming: "Re: localhost resolves to wrong IP?"
- Next in thread: David: "Re: localhost resolves to wrong IP?"
- Reply: David: "Re: localhost resolves to wrong IP?"
- Reply: Jonathan: "Re: localhost resolves to wrong IP?"
- Reply: ynotssor: "Re: localhost resolves to wrong IP?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
