localhost resolves to wrong IP?

Hi - we're using a standard install of RedHat 7.3 i386.

About 12 hours ago or so ago, several services on our machine stopped
working. Further investigation showed that localhost is resolving to the
wrong IP address - instead of 127.0.0.1 it thinks it's 203.210.212.24, which
is nothing to do with us, it isn't even on our ISP's netblock.

/etc/hosts shows:

127.0.0.1 localhost.localdomain localhost

and /etc/host.conf:

order hosts,bind

The machine is running a name server, but it's not querying it any more -
it's trying to ask this other IP, and that's not pinging.

Anyone any ideas as to how this might be happening, and what we can do to
get it back to normal?

Thanks,

Jonathan

"Jonathan" <(E-Mail Removed)> wrote in
news:UHJxb.14169$(E-Mail Removed):

> /etc/hosts shows:
>
> 127.0.0.1 localhost.localdomain localhost

why do you need 'localhost.localdomain'?

> and /etc/host.conf:
>
> order hosts,bind
>

Good but, I believe RedHat 7.3 uses libc6, so the resolving
routines use /etc/nsswitch.conf first.

Please check if /etc/nsswitch.conf contains lines:
hosts: files dns
networks: files dns


P.Krumins

Thanks for your reply! This is really mystifying the hell out of us right
now.

> why do you need 'localhost.localdomain'?

No idea. That's what RedHat puts in on a default install.

> Good but, I believe RedHat 7.3 uses libc6, so the resolving
> routines use /etc/nsswitch.conf first.

OK, we have the following in there:

hosts: files nisplus dns
networks: files

Should that be "networks files dns" instead?

Meanwhile, we seem to have solved it for now by putting a host in our
domain's zone file for "localhost" and pointing it at 127.0.0.1

But how did this happen? Is it/was it some kind of DNS poisoning attack? We
noticed the effect first from users not being able to log in to our webmail
system: PHP was trying to connect to imapd on "localhost" which was then
resolving to a public IP address on another network. Some kind of
password-sniffing attempt?

Jonathan




"Peteris Krumins" <(E-Mail Removed)> wrote in message
news:Xns9441E92FBCC31whitesuneapollolv@130.133.1.4 ...
> "Jonathan" <(E-Mail Removed)> wrote in
> news:UHJxb.14169$(E-Mail Removed):
>
> > /etc/hosts shows:
> >
> > 127.0.0.1 localhost.localdomain localhost
>
> why do you need 'localhost.localdomain'?
>
> > and /etc/host.conf:
> >
> > order hosts,bind
> >
>
> Good but, I believe RedHat 7.3 uses libc6, so the resolving
> routines use /etc/nsswitch.conf first.
>
> Please check if /etc/nsswitch.conf contains lines:
> hosts: files dns
> networks: files dns
>
>
> P.Krumins

Jonathan <(E-Mail Removed)> wrote:
> Hi - we're using a standard install of RedHat 7.3 i386.

> About 12 hours ago or so ago, several services on our machine stopped
> working. Further investigation showed that localhost is resolving to the
> wrong IP address - instead of 127.0.0.1 it thinks it's 203.210.212.24, which
> is nothing to do with us, it isn't even on our ISP's netblock.

> /etc/hosts shows:

> 127.0.0.1 localhost.localdomain localhost

> and /etc/host.conf:

> order hosts,bind

> The machine is running a name server, but it's not querying it any more -
> it's trying to ask this other IP, and that's not pinging.

So this IP is in /etc/resolv.conf? Sounds as if you have been
rooted. Is your box patched with all patches available for RH
7.3?

> Anyone any ideas as to how this might be happening, and what we can do to
> get it back to normal?

If you have been cracked, which sounds reasonable, read the cols
FAQ and reinstall your system from scratch:

http://www.linuxsecurity.com/docs/colsfaq.html

5.5) I've been compromised, what should I do?

Good luck

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

> Jonathan wrote:
>
>>Hi - we're using a standard install of RedHat 7.3 i386.
>
>>About 12 hours ago or so ago, several services on our machine stopped
>>working. Further investigation showed that localhost is resolving to the
>>wrong IP address - instead of 127.0.0.1 it thinks it's 203.210.212.24, which
>>is nothing to do with us, it isn't even on our ISP's netblock.
>
>>/etc/hosts shows:
>>127.0.0.1 localhost.localdomain localhost
>>and /etc/host.conf:
>>order hosts,bind
>
>>The machine is running a name server, but it's not querying it any more -
>>it's trying to ask this other IP, and that's not pinging.

It doesn't sound good. The IP is registered to Hanoi, Vietnam.

% [whois.apnic.net node-2]
% Whois data copyright terms
http://www.apnic.net/db/dbcopyright.html

inetnum: 203.210.128.0 - 203.210.255.255
netname: VNPT-VNNIC-VN
descr: Vietnam Posts and Telecommunications (VNPT)
descr: 23 Nguyen Du street, Hanoi capital, Vietnam
country: VN

>>Anyone any ideas as to how this might be happening, and what we can do to
>>get it back to normal?

If the box has been CRACKED the only way to fix it and know that
you didn't miss anything that has been changed or added to the
system is to wipe the drive and do a re-install with a newer
distro if you can. Backup any data first if you determine the box
has been CRACKED. You may even want to make a backup of the drive
to CD so you can try to find out how they gained access to it and
what was changed.

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.1.0 Kernel 2.4.22 SMP i686 (GCC) 3.3.2
Uptime: 5 days, 6:52, 1 user, load average: 0.02, 0.08, 0.05

Jonathan wrote:

> Thanks for your reply! This is really mystifying the hell out of us right
> now.
>
>> why do you need 'localhost.localdomain'?
>
> No idea. That's what RedHat puts in on a default install.
>

It's a RH thing, RH uses localhost.localdomain on systems that are
configured with networking and NIC(s) installed. w/o the NIC it's plain
old localhost.

>> Good but, I believe RedHat 7.3 uses libc6, so the resolving
>> routines use /etc/nsswitch.conf first.
>
> OK, we have the following in there:
>
> hosts: files nisplus dns
> networks: files
>
> Should that be "networks files dns" instead?
>

Nope what you have is the stock RH settings and they work fine here.

> So this IP is in /etc/resolv.conf? Sounds as if you have been
> rooted.

No, it's not in resolv.conf. It's not in any system config file at all.
We've recursively grepped /var/named, and all of /etc. We've run chkrootkit
from a CD using trusted binaries, and we run an md5sum check (database on a
write-protected floppy) on all system binaries and important config files
(like resolv.conf) every 10mins. No sign of any rooting we can tell.

Jonathan



"Michael Heiming" <michael+(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Jonathan <(E-Mail Removed)> wrote:
> > Hi - we're using a standard install of RedHat 7.3 i386.
>
> > About 12 hours ago or so ago, several services on our machine stopped
> > working. Further investigation showed that localhost is resolving to the
> > wrong IP address - instead of 127.0.0.1 it thinks it's 203.210.212.24,
which
> > is nothing to do with us, it isn't even on our ISP's netblock.
>
> > /etc/hosts shows:
>
> > 127.0.0.1 localhost.localdomain localhost
>
> > and /etc/host.conf:
>
> > order hosts,bind
>
> > The machine is running a name server, but it's not querying it any
more -
> > it's trying to ask this other IP, and that's not pinging.
>
> So this IP is in /etc/resolv.conf? Sounds as if you have been
> rooted. Is your box patched with all patches available for RH
> 7.3?
>
> > Anyone any ideas as to how this might be happening, and what we can do
to
> > get it back to normal?
>
> If you have been cracked, which sounds reasonable, read the cols
> FAQ and reinstall your system from scratch:
>
> http://www.linuxsecurity.com/docs/colsfaq.html
>
> 5.5) I've been compromised, what should I do?
>
> Good luck
>
> --
> Michael Heiming
>
> Remove +SIGNS and www. if you expect an answer, sorry for
> inconvenience, but I get tons of SPAM

Jonathan wrote:
>>So this IP is in /etc/resolv.conf? Sounds as if you have been
>>rooted.
>
>
> No, it's not in resolv.conf. It's not in any system config file at all.
> We've recursively grepped /var/named, and all of /etc. We've run chkrootkit
> from a CD using trusted binaries, and we run an md5sum check (database on a
> write-protected floppy) on all system binaries and important config files
> (like resolv.conf) every 10mins. No sign of any rooting we can tell.

Does "ifconfig" or "netstat -tupan" or the logs show anything?

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.1.0 Kernel 2.4.22 SMP i686 (GCC) 3.3.2
Uptime: 5 days, 15:22, 1 user, load average: 0.00, 0.04, 0.02

David <(E-Mail Removed)> writes:

>> No, it's not in resolv.conf. It's not in any system config file at all.
>> We've recursively grepped /var/named, and all of /etc. We've run
>> chkrootkit from a CD using trusted binaries, and we run an md5sum check
>> (database on a write-protected floppy) on all system binaries and
>> important config files (like resolv.conf) every 10mins. No sign of any
>> rooting we can tell.
>
> Does "ifconfig" or "netstat -tupan" or the logs show anything?

What about nsswitch.conf as well?

~Tim
--
Cries of mercy rise like rockets |(E-Mail Removed)
Through the paths of the redeemed |http://spodzone.org.uk/

Tried that - it's just the default settings.

Yet if you do a ping localhost, or traceroute localhost it goes off to an IP
other than 127.0.0.1.

Well, it did until we put "localhost" pointing explicity to 127.0.0.1 into
our DNS zone file. Services are now working - but why?

JJ



"Tim Haynes" <usenet-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> David <(E-Mail Removed)> writes:
>
> >> No, it's not in resolv.conf. It's not in any system config file at all.
> >> We've recursively grepped /var/named, and all of /etc. We've run
> >> chkrootkit from a CD using trusted binaries, and we run an md5sum check
> >> (database on a write-protected floppy) on all system binaries and
> >> important config files (like resolv.conf) every 10mins. No sign of any
> >> rooting we can tell.
> >
> > Does "ifconfig" or "netstat -tupan" or the logs show anything?
>
> What about nsswitch.conf as well?
>
> ~Tim
> --
> Cries of mercy rise like rockets
|(E-Mail Removed)
> Through the paths of the redeemed |http://spodzone.org.uk/