Hi guys,
I have a really strange situation that I can't wrap my head around. I'm trying out a new VPS vendor and just have some services installed to try it out, so nothing really sensitive or valuable on this server. Suddenly a week ago requests to the domain on http and https started to be redirected to some other server.
I have narrowed down the symptoms to know that when I have a http/https-service (either apache or nginx) running on my system AND have iptables running the requests get redirected. iptraf show the connection coming in but the logs of nginx/apache shows no activity. The / index.html just types a single row of the domain of the other server. If I open up another port (like 8080) and recon nginx/apache to listen there it works perfectly. If, on the other hand, I disable iptables (sercice iptables stop or flushes the tables) requests to http/https times out, i.e. nginx/httpd never receives it even though they are configured to listen to those ports.
If I run iptables, actually with RH standard ruleset, and do not run a http-service on 80/443 the redirection does not happen. So it's only if something is supposed to answer to http/https requests on my server that they are redirected.
I'm not seeing any other strange (or even normal) traffic on my server, nothing else is really running on the machine.
The other server seems to be a german domain, which is also visible in the ssl-certificate when accessing https. There doesn't seem to be anything on that server other than the single line of the domain name.
I'm running a CentOS 5.3 pretty vanilla installation with nginx, httpd, mysql, php running. I have been trying out poptop, pptpd, nuxeo dms.
I'm at a loss to what to check! As I said I can't see any other traffic so if it is compromised either they haven't been able to turn it or they are masking it from me.. root password is not compromised, which is the only user configured, except for the mysql user. Any pointers would be greatly appreciated!
/Kallisti