Have I been hacked?


#1

Hi there, I’m a bit worried that my pi-hole has been compromised. This morning I updated to v4.2 (pihole -up) which went without a hitch. Now when I look at the dashboard I see thousands of client requests from a ‘client’ dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru (see screen shot), this ‘client’ isn’t in the top clients list nor can I find any reference in the long term logs. Note the low level of query’s so it doesn’t look like the pihole is actually resolving these requests.

The pihole is on a local network and connects to a vpn/vps to serve DNS to my mobile, etc…

Has anyone got any advice?

Pi-hole_Admin_Console2

Many thanks,
Rob


#2

What is the output of this command (searching your pihole.log for these requests):

sudo grep ertelecom.ru /var/log/pihole.log


#3

Hi jfb, thanks for your suggestion I did try that but no entries for ertelecom.ru were returned. It’s really strange that this ‘client’ is showing on the pi-hole dashboard but not in the logs, I can’t understand how that’s possible. Further when I rebooted the pi-hole these entries disappeared from the dashboard. I tried a tcpdump (tcpdump -w ru.pcap -n host dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru) but it couldn’t find the host name…


#4

The pihole.log is rotated nightly at midnight, so the log that contains this information may be one of the older logs (they are located in /var/log ). You can search the gz logs with zgrep.

-rw-r--r-- 1 pihole   pihole   130K Feb  5 08:43 pihole.log
-rw-r--r-- 1 pihole   pihole   411K Feb  5 00:00 pihole.log.1
-rw-r--r-- 1 pihole   pihole    70K Feb  4 00:00 pihole.log.2.gz
-rw-r--r-- 1 pihole   pihole    70K Feb  3 00:00 pihole.log.3.gz
-rw-r--r-- 1 pihole   pihole    71K Feb  2 00:00 pihole.log.4.gz
-rw-r--r-- 1 pihole   pihole    96K Feb  1 00:00 pihole.log.5.gz

#5

Thanks for the heads up re zgrep. I tried these commands with no results:
find -name *.pihole.log..gz -print0 | xargs -0 zgrep "dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru
zgrep -e “dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru” pihole.log.
.gz

I’m new to all this, are the above commands correct?


#6

Ok I’ve found some entries in todays log:

Feb 5 14:35:44 dnsmasq[673]: query[A] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: forwarded dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: query[AAAA] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: forwarded dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: dnssec-query[DS] ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: dnssec-query[DS] ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: reply ertelecom.ru is no DS
Feb 5 14:35:44 dnsmasq[673]: reply dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NXDOMAIN
Feb 5 14:35:44 dnsmasq[673]: reply ertelecom.ru is no DS
Feb 5 14:35:44 dnsmasq[673]: reply dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NODATA-IPv6
Feb 5 14:35:44 dnsmasq[673]: query[A] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: cached dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NXDOMAIN
Feb 5 14:35:44 dnsmasq[673]: query[AAAA] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: cached dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NODATA-IPv6

Any thoughts?


#7

Were the x.x.x.x in the log or did you replace something with this?


#8

I replaced them


#9

What were they originally (i.e. where are the DNS queries being sent)?


#10

My VPS VPN IP which is working as a upstream DNS, why?


#11

BTW I didn’t have much confidence in my zgrep commands so I uncompressed the gz log files and did a grep, no entries were found in any of them.


#12

These queries are not from that client. They are queries looking for the IP of that domain. The IP address 127.0.0.1 (the Pi-Hole host) is asking for that domain. This doesn’t indicate that you have been hacked, it indicates that some software on your network is looking for that domain. It is likely related to your VPN if you use a dynamic IP service to keep an IP for your VPN.


#13

The format for a zgrep is the same as for grep. This command will find all instances of the word microsoft in a gz formatted file.

sudo zgrep microsoft /var/log/pihole.log.3.gz

Feb  2 00:00:03 dnsmasq[31962]: query[A] mobile.pipe.aria.microsoft.com from 192.168.0.135
Feb  2 00:00:03 dnsmasq[31962]: /etc/pihole/black.list mobile.pipe.aria.microsoft.com is 0.0.0.0

#14

I don’t use a dynamic IP service on the VPN or knowingly anywhere on the local network. Makes sense this is not the client, how can I find out what’s requesting this address?


#15

Since it appears to be coming from your Pi-Hole host device, I would install Wireshark or tcpdump on that device and see all the packets.


#16

Will do.

Thank you so much for your time and expertise, greatly appreciated.

Best,

Rob


#17

You can simple run a malware test and see if you have been affected or hacked, you can also use http://isithacked.com/ to solve your issue.