My FC3 machine appears to be compromised, please help

Thu Apr 6 15:03:34 UTC 2006

On Thu, 2006-04-06 at 08:21, Bob Brennan wrote:
> On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
> > Bob Brennan wrote:
> > > On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
> > >> Somebody has probably changed a DNS entry for theFamily.net so that
> > >> instead of or as well as A/MX records, there's a:
> > >>
> > >> theFamily.net. CNAME wc.funnel.revenuedirect.com.akadns.net.
> > >>
> > >> record. Sendmail properly rewrites addresses for @theFamily.net to
> > >> @wc.funnel.revenuedirect.com.akadns.net during the address
> > >> canonicalisation stage in this case.
> > >>
> > >> Paul.
> > >
> > > All of my DNS entries for all of my domains are managed at
> > > mydomain.com (literally) and I have checked that everything on their
> > > DNS server is correct and there are no canonical entries. The refused
> > > email is being delivered correctly to my own server, so their DNS
> > > records must be correct.
> > >
> > > However it is within my own server that things are going wrong. I do
> > > not have an active DNS server but use the "hosts" file instead. The
> > > hosts file is accurate and unchanged.
> > >
> > > As I said earlier I searched all files in /etc/ for any entries that
> > > might rewrite anything to or even contain the words
> > > wc.funnel.revenuedirect.com.akadns.net and found nothing.
> > >
> > > Is there any other information I can give or look for that might help
> > > narrow this down? Or tests I can do? Or clever magical incantation
> > > command lines I can try?
> >
> > Try DNS lookups for your domain on your machine:
> >
> > $ dig domain.xxx mx
> > $ dig theFamily.net mx
> >
> > If you gave the real domain name(s) it might help too as we can see what
> > DNS lookups from outside your network are like.
> >
> > Paul.
> 
> You are correct Paul - the dig command gives:
> 
> ;; ANSWER SECTION
> thebrennan.net             56879  IN  CNAME  wc.traffic.puredns.com.
> wc.traffic.puredns.com  23661  IN  CNAME 
> wc.funnel.revenuedirect.com.akadns.net.
> wc.funnel.revenuedirect.com.akadns.net.  2  IN  A  69.25.47.165
> wc.funnel.revenuedirect.com.akadns.net.  2  IN  A  66.150.161.58
> 
> with similar results for other domains on my server such as
> mi-server.net. Any ideas as to how to correct this and how it
> happened?

It is fairly common for ISPs to manage customer domains as
CNAMES into their own namespaces.  Note that your inbound
email follows the MX record instead:

;; QUESTION SECTION:
;thebrennan.net.                        IN      MX

;; ANSWER SECTION:
thebrennan.net.  2400    IN      MX      0 mail.mi-server.net.
thebrennan.net.  2400    IN      MX      10 mx1.sitelutions.com.
thebrennan.net.  2400    IN      MX      20 mx2.sitelutions.com.

On outbound mail, sendmail normally  reverse-resolves its
interface address to find it's own name.  You can override
that on the inbound side by providing all the domain names
it should accept in the /etc/mail/local-host-names file
and on the outbound side by uncommenting and editing the
MASQUERADE_AS(`mydomain.com')dnl line in /etc/mail/sendmail.mc.
Both changes require a restart of sendmail to take effect.

-- 
  Les Mikesell
   lesmikesell at gmail.com