[mdlug] Strange Log Entry
A. Zimmer
andrew.zimmer at comcast.net
Fri Apr 12 10:37:53 EDT 2013
On Fri, 12 Apr 2013 06:57:50 -0400
Adam Behnke <abehnke at gmail.com> wrote:
> i'm thinking the window machine has been comprised and south africa is
> poking around your internal network. the easiest fix/test is to
> reformat/reinstall the windows box and see what happens.
>
That may seem a reasonable suspicion, but I don't think my Windows machine
is compromised.
I suspect the cause is the pdnsd utility on my Linux machine.
Now that I remember correctly, I only set up Windows on that machine
recently and it has never connected to the network with an address
of 192.168.0.4. In fact the address 192.168.0.4 does not exist anywhere
on my local network.
When these log messages occur, my Linux machine is the only machine
on the network and its address is 192.168.0.2. The question is: Why
is it accepting packets for 192.168.0.4? Since the log message is
from the Linux kernel, the packet has been
I suspect that it may be the pdnsd utility, which I use to bypass
the DNS server of my ISP (Comcast). Pdnsd allows my Linux machine
to act as a DNS server for itself and also provides DNS caching.
The only place where 192.168.0.4 can be found is within certain config
files on my Linux machine that were set up a long time ago and
that no longer reflect the state of the network. Since these messages
involve port 53, I suspect, although I can't see how, that pdnsd
is the ultimate cause.
For now, I will remove the reference to 192.168.0.4 from my config
files and delete the local pdnsd cache. Hopefully, this will solve
the issue.
More information about the mdlug
mailing list