Hi

I run nmap against projsend4.ru and returns the following:

[root@mail ~]# nmap projsend4.ru
Starting Nmap 7.70 ( https://nmap.org ) at 2022-11-14 13:24 EET
Nmap scan report for projsend4.ru (92.80.234.120)
Host is up (0.0000040s latency).
rDNS record for 92.80.234.120: mail.mastersystem.ro
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain

Straange because it looks like he scanned my server and not that russian domain. Also is returning a rDNS record even if I don't have a reverse DNS.

May i have been hacked?

Many thanks.
Alex

So projsend4.ru has a DNS record pointing to your mail server? Is your server an open relay? Normally, the ISP that controls the IP also controls the rDNS

Hi

Thank you for your response. No it's not an open relay. I checked that many time... My ISP doesn't want to set a reverse DNS for me pretending that service is for companies only. Seems my ip was stolen and used for that russian domain. Here is how look in zeek IDS/IPS dns log:

1668435718.327100 CakwJK3fVGmAwAiKUh 92.80.234.120 34921 1.1.1.1 53 udp 19174 - projsend4.ru.mastersystem.ro - - - - 0 NOERROR F F F T 0 92.80.234.120 300.000000

It's interesting to me how to prevent this. And is two different ISP from two different countries. Here are details for projsend4.ru:

ISP Petersburg Internet Network Ltd.
Usage Type Data Center/Web Hosting/Transit
Hostname(s) projsend4.ru
Domain Name pinspb.ru
Country Russian Federation
City Saint Petersburg, Sankt-Peterburg

What is interesing is that whois is reporting that projsend4.ru is free to be registered... including for .ru tld. I had searched also with intodns.com (Error: Can't get nameservers at parent server!<br>I only check domains not subdomains!)

BR
Alex

Actually, DNS does not have an entry for projsend4.ru; at least in my (USA) configured servers.

What does following give you?

nslookup projsend4.ru
traceroute projsend4.ru

Weird...

[root@mail current]# nmap projsend4.ru
Starting Nmap 7.70 ( https://nmap.org ) at 2022-11-14 17:28 EET
Nmap scan report for projsend4.ru (92.80.234.120 ---> this is my IP)
Host is up (0.0000050s latency).
rDNS record for 92.80.234.120: mail.mastersystem.ro
Not shown: 989 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
389/tcp open ldap
443/tcp open https
465/tcp open smtps
587/tcp open submission
3306/tcp open mysql
7025/tcp open vmsvc-2
8443/tcp open https-alt

[root@mail current]# host projsend4.ru
Host projsend4.ru not found: 3(NXDOMAIN) (very nice)

If i stop named service.... the things is changing and looks normally:

[root@mail current]# nmap projsend4.ru
Starting Nmap 7.70 ( https://nmap.org ) at 2022-11-14 17:39 EET
Failed to resolve "projsend4.ru".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.03 seconds

Then when i change the nameserver in resolv.conf things comes back again

Alex

Hi

Here is the output...

[root@mail wan]# nslookup projsend4.ru
Server: 8.8.8.8
Address: 8.8.8.8#53

** server can't find projsend4.ru: NXDOMAIN

[root@mail wan]# traceroute projsend4.ru
traceroute to projsend4.ru (92.80.234.120), 30 hops max, 60 byte packets
1 mail.mastersystem.ro (92.80.234.120) 0.020 ms 0.009 ms 0.005 ms

Looks my server...

Alex.

https://www.abuseipdb.com/check/5.188.62.26

Why are you on the internet logged in a root?

I don't know what you have.

Try without dns lookup.
Give more info.

Yes, yo're right regarding the usage of root, but this simplify package installation and some packages require to establish manual the rights on directories.

Here are the results - in same order:

traceroute 5.188.62.26
traceroute to 5.188.62.26 (5.188.62.26), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

nmap -Pn --dns-servers 77.88.8.88 projsend4.ru
Starting Nmap 7.70 ( https://nmap.org ) at 2022-11-14 19:52 EET
Nmap scan report for projsend4.ru (92.80.234.120)
Host is up (0.0000050s latency).
rDNS record for 92.80.234.120: mail.mastersystem.ro
Not shown: 989 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
389/tcp open ldap
443/tcp open https
465/tcp open smtps
587/tcp open submission
3306/tcp open mysql
7025/tcp open vmsvc-2
8443/tcp open https-alt

Nmap done: 1 IP address (1 host up) scanned in 2.26 seconds


nmap -Pn --dns-servers 77.88.8.88 5.188.62.26
Starting Nmap 7.70 ( https://nmap.org ) at 2022-11-14 19:52 EET
Nmap scan report for projsend4.ru (5.188.62.26)
Host is up (0.061s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
3306/tcp open mysql
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
Nmap done: 1 IP address (1 host up) scanned in 10.81 seconds

NOTE: seems to be a Windows workstation or server. The port 3389 are accessible with no firewall enabled; I tried to connect and was return me the window to enter the connection credentials. Weak...


nslookup 5.188.62.26
26.62.188.5.in-addr.arpa name = projsend4.ru.
Authoritative answers can be found from:


dig @77.88.8.88 projsend4.ru

; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8_6.1 <<>> @77.88.8.88 projsend4.ru
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61363
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;projsend4.ru. IN A

;; AUTHORITY SECTION:
ru. 1533 IN SOA a.dns.ripn.net. hostmaster.ripn.net. 4053554 86400 14400 2592000 3600

;; Query time: 75 msec
;; SERVER: 77.88.8.88#53(77.88.8.88)
;; WHEN: Mon Nov 14 19:49:55 EET 2022
;; MSG SIZE rcvd: 102



dig @77.88.8.88 5.188.62.26
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8_6.1 <<>> @77.88.8.88 5.188.62.26
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25235
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;5.188.62.26. IN A

;; AUTHORITY SECTION:
. 2042 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022111401 1800 900 604800 86400

;; Query time: 72 msec
;; SERVER: 77.88.8.88#53(77.88.8.88)
;; WHEN: Mon Nov 14 19:51:34 EET 2022
;; MSG SIZE rcvd: 115

I have no clue what could be. I'm thinking that could be a problem at Cloudflare DNS, since if i stop DNS service and make a interrogation the things are same.

BR
Alex

Hey... seems it's not my problem... i'm not hacked.
These are steps followed:

1. shuting down server
2. hdd has removed and replaced with another new one
3. a fresh installation of Oracle Linux 8.6
4. installed only packages needed to network
5. no bind package installed
6. running nmap against projsend4.ru -> results was the same.

Seems to be a possible problem with other nameservers...