[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Intermittent DNS failure or hack or what??

Subject: Re: [cobalt-security] Intermittent DNS failure or hack or what??
From: shimi <shimi@xxxxxxxxxxxxxxxx>
Date: Thu, 10 May 2001 10:52:49 -0700 (PDT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Thu, 10 May 2001, Simon Wilson wrote:

> Apologies in advance if this isn't posted in quite the right group. I am
> not sure if this a DNS problem or a security issue.
> 
> For the past two days people are intermittently unable to browse sites on
> our
> server. It will be ok for 30 mins then it won't work and they get 'Cannot
> find
> server or DNS Error' page. We have done trace routes at this time and they
> are fine.
> Pinging the machine is fine. The server admin browser pages always work
> during
> this time but not the sites. Any ideas?

"Cannot find server or DNS Error" is a very common error in MSIE - that's
why I don't use it - it's simply horrible.

A real test, to see if the web server responds, is to open a Telnet
session to the site's address, on port 80.

Try it when the site appears not to work.

> We did the RaQ4-All-Security-1.0.1-10098.pkg and the
> RaQ4-All-Security-1.0.1-10014.pkg
> yesterday. Could it be this causing a problem?
> 

Since it's messing with the admin server pages and some other external
program which isn't at all related to web, I doubt it.

> I wonder whether we have been hacked in some form. The only suspicious
> report recently
> from logcheck that I don't understand was this:
> 
> May  5 02:14:16 ns1 named[376]: Lame server on '155.218.53.216.in-addr.arpa'
> (in '218.53.216.in-addr.arpa'?): [216.53.130.3].53 'NS2.MPINET.NET'

It's fine. The message means exactly what it says. There's a LAME NS at
216.53.218.155. IIRC those are Windows 2000 boxes set up to update the
nameserver of the domain they're defined on, and, unfortunately, they used
your domain to name their network. Don't worry, it doesn't interfere with
DNS operation. If you really wanna get this message go, either:
a) mail the company that holds that bad server and tell them about it.
b) block this server to connect to your system using ipchains or other
means.

> 
> Basically I don't what's going on and not surprisingly my co-location people
> say that
> nothing is wrong.... Help please...before a client notices.

Again, if it's IE's problem, they won't have it... usually at data centers
they have unix machines with Netscape on them...

If the telnet IS answered indeed, try typing something like: 
"GET somefile.html" <enter>

you should then see it on screen...

only if all these fails, come and tell us about it ;p

> 
> Simon Wilson
> 
- shimi

References:
- [cobalt-security] Intermittent DNS failure or hack or what??
  - From: Simon Wilson

Prev by Date: Re: [cobalt-security] Intermittent DNS failure or hack or what??
Next by Date: [cobalt-security] Raq 4 e-mail to admin ???
Previous by thread: RE: [cobalt-security] Intermittent DNS failure or hack or what??
Next by thread: Re: [cobalt-security] Intermittent DNS failure or hack or what??

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index