LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-20-2012, 10:21 AM   #1
tonechild
LQ Newbie
 
Registered: Feb 2012
Posts: 9

Rep: Reputation: Disabled
Strange Log Readout showing lots of queries using named , cant understand


Can anyone help me understand what this means? I'm trying to figure out if someone is using my system and how to stop it.
Code:
Feb 20 07:34:49 ip-97-74-83-225 named[26143]: client 204.194.237.19#58835: query (cache) 'interstateplastics1.com/A/IN' denied
Fient 77.88.44.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
b 20 07:34:49 ip-97-74-83-225 named[26143]: client 204.194.237.19#15132: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 07:34:49 ip-97-74-83-225 named[26143]: client 204.194.237.19#42951: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 07:37:16 ip-97-74-83-225 named[26143]: client 64.71.184.34#35516: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 07:39:39 ip-97-74-83-225 named[26143]: client 64.62.151.34#49816: query (cache) 'thesocialladder.com/A/IN' denied
Feb 20 07:49:38 ip-97-74-83-225 named[26143]: client 66.249.71.73#45900: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 07:49:38 ip-97-74-83-225 named[26143]: client 66.249.71.108#47493: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 07:53:00 ip-97-74-83-225 xinetd[26007]: START: ftp pid=1192 from=::ffff:173.201.184.66
Feb 20 07:53:00 ip-97-74-83-225 proftpd[1192]: 127.0.0.1 (173.201.184.66[173.201.184.66]) - FTP session opened.
Feb 20 07:53:00 ip-97-74-83-225 proftpd[1192]: 127.0.0.1 (173.201.184.66[173.201.184.66]) - FTP session closed.
Feb 20 07:53:00 ip-97-74-83-225 xinetd[26007]: EXIT: ftp status=0 pid=1192 duration=0(sec)
Feb 20 07:58:00 ip-97-74-83-225 named[26143]: client 216.218.196.2#57303: query (cache) 'interstateplastics1.com/AAAA/IN' denied
Feb 20 08:00:23 ip-97-74-83-225 named[26143]: client 72.52.65.210#43825: query (cache) 'thesocialladder.com/AAAA/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:23:32 ip-97-74-83-225 named[26143]: client 220.181.108.116#16587: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 08:23:32 ip-97-74-83-225 named[26143]: client 220.181.108.116#16587: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 08:23:33 ip-97-74-83-225 named[26143]: client 220.181.108.122#17236: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 08:23:33 ip-97-74-83-225 named[26143]: client 220.181.108.122#17236: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 08:24:02 ip-97-74-83-225 named[26143]: client 123.125.71.74#44285: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 09:51:15 ip-97-74-83-225 named[26143]: client 66.249.71.57#35603: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 09:51:15 ip-97-74-83-225 named[26143]: client 66.249.71.247#36267: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.6.223#5315: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.5.195#28443: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.6.223#5315: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.5.195#28443: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.5.59#16054: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.5.66#14797: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.5.59#16054: query (cache) 'interstateplastics1.com/A/IN' denied
 
Old 02-20-2012, 10:51 AM   #2
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Rep: Reputation: 23
Quote:
Originally Posted by tonechild View Post
Can anyone help me understand what this means? I'm trying to figure out if someone is using my system and how to stop it.
Code:
Feb 20 07:34:49 ip-97-74-83-225 named[26143]: client 204.194.237.19#58835: query (cache) 'interstateplastics1.com/A/IN' denied
Fient 77.88.44.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
b 20 07:34:49 ip-97-74-83-225 named[26143]: client 204.194.237.19#15132: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 07:34:49 ip-97-74-83-225 named[26143]: client 204.194.237.19#42951: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 07:37:16 ip-97-74-83-225 named[26143]: client 64.71.184.34#35516: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 07:39:39 ip-97-74-83-225 named[26143]: client 64.62.151.34#49816: query (cache) 'thesocialladder.com/A/IN' denied
Feb 20 07:49:38 ip-97-74-83-225 named[26143]: client 66.249.71.73#45900: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 07:49:38 ip-97-74-83-225 named[26143]: client 66.249.71.108#47493: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 07:53:00 ip-97-74-83-225 xinetd[26007]: START: ftp pid=1192 from=::ffff:173.201.184.66
Feb 20 07:53:00 ip-97-74-83-225 proftpd[1192]: 127.0.0.1 (173.201.184.66[173.201.184.66]) - FTP session opened.
Feb 20 07:53:00 ip-97-74-83-225 proftpd[1192]: 127.0.0.1 (173.201.184.66[173.201.184.66]) - FTP session closed.
Feb 20 07:53:00 ip-97-74-83-225 xinetd[26007]: EXIT: ftp status=0 pid=1192 duration=0(sec)
Feb 20 07:58:00 ip-97-74-83-225 named[26143]: client 216.218.196.2#57303: query (cache) 'interstateplastics1.com/AAAA/IN' denied
Feb 20 08:00:23 ip-97-74-83-225 named[26143]: client 72.52.65.210#43825: query (cache) 'thesocialladder.com/AAAA/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:53 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 213.180.209.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns1.interstateplastics1.com/A/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.43.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns1.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:18:54 ip-97-74-83-225 named[26143]: client 77.88.44.250#5335: query (cache) 'ns2.interstateplastics1.com/AAAA/IN' denied
Feb 20 08:23:32 ip-97-74-83-225 named[26143]: client 220.181.108.116#16587: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 08:23:32 ip-97-74-83-225 named[26143]: client 220.181.108.116#16587: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 08:23:33 ip-97-74-83-225 named[26143]: client 220.181.108.122#17236: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 08:23:33 ip-97-74-83-225 named[26143]: client 220.181.108.122#17236: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 08:24:02 ip-97-74-83-225 named[26143]: client 123.125.71.74#44285: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 09:51:15 ip-97-74-83-225 named[26143]: client 66.249.71.57#35603: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 09:51:15 ip-97-74-83-225 named[26143]: client 66.249.71.247#36267: query (cache) 'www.thesocialladder.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.6.223#5315: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.5.195#28443: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.6.223#5315: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.5.195#28443: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.5.59#16054: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.5.66#14797: query (cache) 'interstateplastics1.com/A/IN' denied
Feb 20 10:00:47 ip-97-74-83-225 named[26143]: client 180.76.5.59#16054: query (cache) 'interstateplastics1.com/A/IN' denied
It looks like it is trying to do recursion and the server is denying it, which it should.

What is your setup as far as acl's look like?

Check out this site:
http://www.grc.com/dns/benchmark.htm

run the security tool, it will show LOTS of info on your present dns setup and any security related data...

Also, what distro and version of bind you are running...

Last edited by rhbegin; 02-20-2012 at 10:53 AM.
 
Old 02-20-2012, 11:03 AM   #3
tonechild
LQ Newbie
 
Registered: Feb 2012
Posts: 9

Original Poster
Rep: Reputation: Disabled
That's great it is denying it. What about this?
Code:
eb 20 07:53:00 ip-97-74-83-225 xinetd[26007]: START: ftp pid=1192 from=::ffff:173.201.184.66
Feb 20 07:53:00 ip-97-74-83-225 proftpd[1192]: 127.0.0.1 (173.201.184.66[173.201.184.66]) - FTP session opened.
Feb 20 07:53:00 ip-97-74-83-225 proftpd[1192]: 127.0.0.1 (173.201.184.66[173.201.184.66]) - FTP session closed.
Feb 20 07:53:00 ip-97-74-83-225 xinetd[26007]: EXIT: ftp status=0 pid=1192 duration=0(sec)
Does this mean someone successfully logged in via FTP?
 
Old 02-21-2012, 02:44 PM   #4
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Rep: Reputation: 23
Quote:
Originally Posted by tonechild View Post
That's great it is denying it. What about this?
Code:
eb 20 07:53:00 ip-97-74-83-225 xinetd[26007]: START: ftp pid=1192 from=::ffff:173.201.184.66
Feb 20 07:53:00 ip-97-74-83-225 proftpd[1192]: 127.0.0.1 (173.201.184.66[173.201.184.66]) - FTP session opened.
Feb 20 07:53:00 ip-97-74-83-225 proftpd[1192]: 127.0.0.1 (173.201.184.66[173.201.184.66]) - FTP session closed.
Feb 20 07:53:00 ip-97-74-83-225 xinetd[26007]: EXIT: ftp status=0 pid=1192 duration=0(sec)
Does this mean someone successfully logged in via FTP?
Do you need ftp access on this server?

If you do not need ftp access (turn it off).

If you do need FTP access here is what I would do, create a ipchain rule in netfilter to LIMIT the access to ftp. (through a specific IP and/or ip subnet range.

With the massive number of exploited/hacked servers/home_pc's you do not want a buffet for people to soak your server and/or run dictionary attacks on it.

If you cannot limit the ip range via an ip and/or ip subnet range, put in a connection limit (ipchain rule) and/or install fail2ban to keep rouge traffic at bay.

This IP address also has a lot of ports opened on it, so someone may be using it for something they should not be doing (just a suggestion not implying this is the case)...

Last edited by rhbegin; 02-21-2012 at 02:48 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
named does not accept queries but allow-query is {any;} in /etc/named.conf mchait Linux - Server 3 04-12-2010 01:09 AM
[SOLVED] named not responding to queries geek.ksa Linux - Server 3 02-24-2010 04:00 AM
DNS(named) - Fedora 9 - Answers Queries on Local Host Only rpeiffer Linux - Server 8 06-29-2008 05:51 PM
More strange queries.. RoaCh Of DisCor Linux - Security 9 01-14-2007 06:28 AM
Lots of 'failed's showing up at boot, can't access vfat fs anymore... TheMusicGuy Linux - General 3 06-20-2005 01:39 AM


All times are GMT -5. The time now is 09:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration