LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   ATT says they've discovered an open DNS server at my IP (https://www.linuxquestions.org/questions/linux-security-4/att-says-theyve-discovered-an-open-dns-server-at-my-ip-4175491905/)

Quakeboy02 01-20-2014 09:04 AM
ATT says they've discovered an open DNS server at my IP
 
I got an email from ATT today containing this: "a device using your Internet connection is configured to run an open Domain Name System (DNS) resolver." Since I didn't configure my system that way, I'm at a loss. I am running two Debian Wheezy machines which were recently upgraded from Squeeze. I am using an Actiontec GT784WN Wireless N DSL Modem with the wireless disabled. Last year shortly after I moved here and got this new DSL modem, I noticed odd activity on my second machine, and found a DOS script running on it. I removed the hard drive and rebuilt the system on a different drive, and that's when I turned the wireless off. I haven't noticed any other odd activity since then.

So, any simple pointers to what to do next would be appreciated. I don't see any firmware upgrades on the Actiontec site if that's where the problem is. I may have been running "transmission" at the time indicated in ATT's letter if that's related.

smallpond 01-20-2014 09:44 AM
Check the "received from" headers to make sure the email is really from AT&T.
To find anything listening on port 53 (DNS) on your local machine:

Code:
netstat -tulpn | grep :53
or to test a device at an IP to see if it is listening:

Code:
telnet 192.168.0.1 53
^]close
If it accepts the connection, it is listening.

Quakeboy02 01-20-2014 10:04 AM
Hi smallpond,

The email has my proper name in it, so I don't think it was a phishing attempt. I've forwarded the email to abuse@att.net as was suggested in the letter to see if they have anything useful to say. I did not click on any links in the email.

Here is the response to the two commands, so I don't think it's listening. I wonder if it was something in the "transmission" client?

Code:
bob@musem:~$ netstat -tulpn |grep :53
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:53306          0.0.0.0:*              LISTEN      -             
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          -             
udp6      0      0 :::5353                :::*                                -
Code:
bob@musem:~$ telnet 192.168.0.1 53
Trying 192.168.0.1...
telnet: Unable to connect to remote host: Connection refused

smallpond 01-20-2014 10:34 AM
The 192.168.0.1 address was just an example. Try it with the actual IP addresses of your wireless router and the other Debian system.

Quakeboy02 01-20-2014 10:45 AM
I tried to telnet into my internet IP as follows, without the "53". As you can see, I got a response. Does this mean there is a door into my router from the internet?

Code:
telnet xxx.xxx.xx.xxx
Trying xxx.xxx.xx.xxx...
Connected to xxx.xxx.xx.xxx.
Escape character is '^]'.
BCM96328 Broadband Router
Login:

Quakeboy02 01-20-2014 10:53 AM
OK, some more information. I'm looking at the router setup, and I see that port 53 incoming was enabled. I've just disabled that, along with some incoming ICMP ports. At this point there aren't any incoming ports enabled.

Added:
I see there is a "NAT only " security option on the router setup page which doesn't list any incoming or outgoing ports. Should I be using that?

Added:
I ran the test at http://www.openresolver.jp, and now that I turned off port 53, it no longer shows a potential open DNS resolver at my IP. I don't know if that resolves this, or not.

smallpond 01-20-2014 01:54 PM
Sounds like you fixed it. Another site for testing open ports is:

https://www.grc.com/shieldsup

Quakeboy02 01-20-2014 01:58 PM
Thanks for giving me the clues I needed to fix this!


All times are GMT -5. The time now is 02:39 AM.