Have I been hacked?

#1

Hi there, I’m a bit worried that my pi-hole has been compromised. This morning I updated to v4.2 (pihole -up) which went without a hitch. Now when I look at the dashboard I see thousands of client requests from a ‘client’ dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru (see screen shot), this ‘client’ isn’t in the top clients list nor can I find any reference in the long term logs. Note the low level of query’s so it doesn’t look like the pihole is actually resolving these requests.

The pihole is on a local network and connects to a vpn/vps to serve DNS to my mobile, etc…

Has anyone got any advice?

Pi-hole_Admin_Console2

Many thanks,
Rob

0 Likes

#2

What is the output of this command (searching your pihole.log for these requests):

sudo grep ertelecom.ru /var/log/pihole.log

0 Likes

#3

Hi jfb, thanks for your suggestion I did try that but no entries for ertelecom.ru were returned. It’s really strange that this ‘client’ is showing on the pi-hole dashboard but not in the logs, I can’t understand how that’s possible. Further when I rebooted the pi-hole these entries disappeared from the dashboard. I tried a tcpdump (tcpdump -w ru.pcap -n host dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru) but it couldn’t find the host name…

0 Likes

#4

The pihole.log is rotated nightly at midnight, so the log that contains this information may be one of the older logs (they are located in /var/log ). You can search the gz logs with zgrep.

-rw-r--r-- 1 pihole   pihole   130K Feb  5 08:43 pihole.log
-rw-r--r-- 1 pihole   pihole   411K Feb  5 00:00 pihole.log.1
-rw-r--r-- 1 pihole   pihole    70K Feb  4 00:00 pihole.log.2.gz
-rw-r--r-- 1 pihole   pihole    70K Feb  3 00:00 pihole.log.3.gz
-rw-r--r-- 1 pihole   pihole    71K Feb  2 00:00 pihole.log.4.gz
-rw-r--r-- 1 pihole   pihole    96K Feb  1 00:00 pihole.log.5.gz
0 Likes

#5

Thanks for the heads up re zgrep. I tried these commands with no results:
find -name *.pihole.log..gz -print0 | xargs -0 zgrep "dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru
zgrep -e “dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru” pihole.log.
.gz

I’m new to all this, are the above commands correct?

0 Likes

#6

Ok I’ve found some entries in todays log:

Feb 5 14:35:44 dnsmasq[673]: query[A] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: forwarded dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: query[AAAA] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: forwarded dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: dnssec-query[DS] ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: dnssec-query[DS] ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: reply ertelecom.ru is no DS
Feb 5 14:35:44 dnsmasq[673]: reply dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NXDOMAIN
Feb 5 14:35:44 dnsmasq[673]: reply ertelecom.ru is no DS
Feb 5 14:35:44 dnsmasq[673]: reply dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NODATA-IPv6
Feb 5 14:35:44 dnsmasq[673]: query[A] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: cached dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NXDOMAIN
Feb 5 14:35:44 dnsmasq[673]: query[AAAA] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: cached dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NODATA-IPv6

Any thoughts?

0 Likes

#7

Were the x.x.x.x in the log or did you replace something with this?

0 Likes

#8

I replaced them

0 Likes

#9

What were they originally (i.e. where are the DNS queries being sent)?

0 Likes

#10

My VPS VPN IP which is working as a upstream DNS, why?

0 Likes

#11

BTW I didn’t have much confidence in my zgrep commands so I uncompressed the gz log files and did a grep, no entries were found in any of them.

0 Likes

#12

These queries are not from that client. They are queries looking for the IP of that domain. The IP address 127.0.0.1 (the Pi-Hole host) is asking for that domain. This doesn’t indicate that you have been hacked, it indicates that some software on your network is looking for that domain. It is likely related to your VPN if you use a dynamic IP service to keep an IP for your VPN.

0 Likes

#13

The format for a zgrep is the same as for grep. This command will find all instances of the word microsoft in a gz formatted file.

sudo zgrep microsoft /var/log/pihole.log.3.gz

Feb  2 00:00:03 dnsmasq[31962]: query[A] mobile.pipe.aria.microsoft.com from 192.168.0.135
Feb  2 00:00:03 dnsmasq[31962]: /etc/pihole/black.list mobile.pipe.aria.microsoft.com is 0.0.0.0
1 Like

#14

I don’t use a dynamic IP service on the VPN or knowingly anywhere on the local network. Makes sense this is not the client, how can I find out what’s requesting this address?

0 Likes

#15

Since it appears to be coming from your Pi-Hole host device, I would install Wireshark or tcpdump on that device and see all the packets.

0 Likes

#16

Will do.

Thank you so much for your time and expertise, greatly appreciated.

Best,

Rob

0 Likes

#17

You can simple run a malware test with (https://freeaccount.org/zbigz-premium-accounts/) and see if you have been affected or hacked, you can also use http://isithacked.com/ to solve your issue.

0 Likes

#18

Hi, I have my upstream DNS configured only to Cloudflare and I’m seeing similar, concerning entries where Pihole appears to be suddenly fowarding DNS queries from localhost to a pppoe.lipetsk.ertelecom.ru domain as the upstream DNS. I haven’t had a chance to comb through the entire log to see when the began, but I look at the Pihole web console fairly frequently, and I’d never seen this before today.

When I run the command suggested above by @jfb to search the log (sudo grep ertelecom.ru /var/log/pihole.log), here’s several examples that come back, from just this morning. I’ve obviously never configured this ertelecom.ru as an upstream DNS:

Mar 5 01:00:01 dnsmasq[16412]: reply 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru
Mar 5 01:00:01 dnsmasq[16412]: cached 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru
Mar 5 02:00:01 dnsmasq[16412]: cached 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru
Mar 5 02:00:01 dnsmasq[16412]: reply 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru

I’ve checked both DNS settings in the web console, as well as these .conf files below, as well, and both only contain entries for Cloudflare (1.1.1.1 and 1.0.0.1) as the upstream DNS:
/etc/pihole/setupVars.conf
/etc/dnsmasq.d/01-pihole.conf

Any ideas? Nuke this pihole install from orbit? Could these be coming from something else on my network, even though they appear to be from localhost?

0 Likes

#19

What were the matching queries from local host? They appear to have been PTR requests, since Pi-Hole is replying with a domain name, not an IP.

I don’t see anything in this log that would indicate that your upstream DNS has been changed.

0 Likes

#20

Thanks - looking a query history in the Web Console, I did see that these appear to be PTR requests - please help me out here, as a relative Pihole novice - does that mean it’s instead receiving the request from an ertelecom.ru IP? My pihole is behind a router firewall and shouldn’t be open to this query, and while I certainly can’t rule out operator error, this being possible would be a shock to me.

What makes me worry that my upstream DNS had been hijacked somehow, though, is that two of these ertelecom.ru addreses show up in the “Forward Destinations” chart on the Dashboard. I see Cached, Blocklist, and 1.1.1.1 as you’d expect, but then also these two .ru addresses as forward destinations.

0 Likes