PDA

View Full Version : Being hacked


krawhitham
05-31-2009, 02:41 AM
Somehow someone keeps adding subdomans that point to a different server to my DNS server. I've changed all passwords and it still continues


bancopostaonline.avviso.codice.personale.it.mindwarped.com. 14400 IN A 217.113.192.83

I'm running Centos 5

here is my /etc/named.conf

// generated by named-bootconf.pl

options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

include "/etc/rndc.key";

zone "178581.ds.nac.net" { type master; file "/var/named/178581.ds.nac.net.db"; };
zone "groupwbench.com" { type master; file "/var/named/groupwbench.com.db"; };
zone "eamods.com" { type master; file "/var/named/eamods.com.db"; };
zone "reellife.net" { type master; file "/var/named/reellife.net.db"; };
zone "lilgamelvr.com" { type master; file "/var/named/lilgamelvr.com.db"; };
zone "2k-mods.com" { type master; file "/var/named/2k-mods.com.db"; };
zone "mindwarped.com" { type master; file "/var/named/mindwarped.com.db"; };
zone "tonk.info" { type master; file "/var/named/tonk.info.db"; };
zone "ua4.us" { type master; file "/var/named/ua4.us.db"; };
zone "mvpclassics.com" { type master; file "/var/named/mvpclassics.com.db"; };
zone "krawhitham.com" { type master; file "/var/named/krawhitham.com.db"; };
zone "mlbmods.com" { type master; file "/var/named/mlbmods.com.db"; };
floyd
05-31-2009, 03:37 AM
What do the logs tell you? If you do not know how to find the logs or how to read the logs I would suggest hiring a system administrator.

.
krawhitham
05-31-2009, 09:53 AM
only thing strange in the logs is failed login attempts (each one a different user name)

Maybe 10,000 failed attempts a day, I keep blocking IP addresses. Nothing ever shows them being successful at logging in


May 31 04:35:19 178581 sshd[20829]: Illegal user bear from ::ffff:76.25.182.201
May 31 04:35:19 178581 sshd[20832]: Illegal user baritone from ::ffff:76.25.182.201
nobaloney
05-31-2009, 01:10 PM
What is the output of this command:

ls -al /var/named/mindwarped.com.db

Jeff