[Dnsmasq-discuss] Vulnerability to hack DNSMASQ?
klondike
klondike at klondike.es
Sat Nov 29 01:08:36 GMT 2014
El 28/11/14 22:44, Michael Rack escribió:
> Hi!
>
> My DNSMASQ Process was open to anyone on the Internet.
> Since few days, i had many service interruptions, so i did a
> network-monitoring and found, that DNSMASQ had many connections open.
>
> It looks like a DDoS - also it felt for me as one.
>
>> 91.205.14.65:domain <=> 46.38.227.66:http
>> 483MB 455Kb 460Kb 461Kb
>> 91.205.14.65 <=> 72.194.79.40
>> 13.1KB 760b 760b 760b
>> 91.205.14.65:domain <=> 72.194.79.40:2622
>> 134B 268b 54b 27b
>> 91.205.14.65:domain <=> 72.194.79.40:44836
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:48661
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:exce
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:15016
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:60409
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:46901
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:41296
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:31861
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:47420
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:24221
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:29322
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:510
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:2555
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:40311
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:64537
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:27566
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:43125
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:55887
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:netmon
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:55651
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:44949
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:12310
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:25831
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:35779
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:28138
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:37074
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:46767
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:9027
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:47533
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:19229
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:19487
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:20255
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:23830
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:64895
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:41186
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:59304
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:12911
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:51671
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:44285
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:36142
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:8859
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:13960
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:55017
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:61910
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:2498
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:23665
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:39752
>> 134B 0b 107b 27b
>> 91.205.14.65:domain <=> 72.194.79.40:60709
>> 134B 0b 54b 27b
>> 91.205.14.65:domain <=> 72.194.79.40:64920
>> 134B 0b 54b 27b
>> 91.205.14.65:domain <=> 72.194.79.40:29023
>> 67B 0b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:47383
>> 67B 0b 54b 13b
> Why are there so many several ports that dnsmasq is connected to?
>
> I run dnsmasq version 2.59rc1. After stopping the process, it took over
> 8 Minutes before the traffic stopped passing my wan interface.
They are using you for a DNS amplification attack.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20141129/adcd3192/attachment.sig>
More information about the Dnsmasq-discuss
mailing list