Have I been hacked?

jfb · February 5, 2019, 2:46pm

The pihole.log is rotated nightly at midnight, so the log that contains this information may be one of the older logs (they are located in /var/log ). You can search the gz logs with zgrep.

-rw-r--r-- 1 pihole   pihole   130K Feb  5 08:43 pihole.log
-rw-r--r-- 1 pihole   pihole   411K Feb  5 00:00 pihole.log.1
-rw-r--r-- 1 pihole   pihole    70K Feb  4 00:00 pihole.log.2.gz
-rw-r--r-- 1 pihole   pihole    70K Feb  3 00:00 pihole.log.3.gz
-rw-r--r-- 1 pihole   pihole    71K Feb  2 00:00 pihole.log.4.gz
-rw-r--r-- 1 pihole   pihole    96K Feb  1 00:00 pihole.log.5.gz

rob4u · February 5, 2019, 4:07pm

Thanks for the heads up re zgrep. I tried these commands with no results:
find -name *.pihole.log..gz -print0 | xargs -0 zgrep "dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru”
zgrep -e "dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru" pihole.log..gz

I'm new to all this, are the above commands correct?

rob4u · February 5, 2019, 4:38pm

Ok I've found some entries in todays log:

Feb 5 14:35:44 dnsmasq[673]: query[A] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: forwarded dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: query[AAAA] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: forwarded dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: dnssec-query[DS] ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: dnssec-query[DS] ertelecom.ru to x.x.x.x
Feb 5 14:35:44 dnsmasq[673]: reply ertelecom.ru is no DS
Feb 5 14:35:44 dnsmasq[673]: reply dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NXDOMAIN
Feb 5 14:35:44 dnsmasq[673]: reply ertelecom.ru is no DS
Feb 5 14:35:44 dnsmasq[673]: reply dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NODATA-IPv6
Feb 5 14:35:44 dnsmasq[673]: query[A] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: cached dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NXDOMAIN
Feb 5 14:35:44 dnsmasq[673]: query[AAAA] dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru from 127.0.0.1
Feb 5 14:35:44 dnsmasq[673]: cached dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru is NODATA-IPv6

Any thoughts?

jfb · February 5, 2019, 4:54pm

Were the x.x.x.x in the log or did you replace something with this?

rob4u · February 5, 2019, 4:56pm

I replaced them

jfb · February 5, 2019, 4:58pm

What were they originally (i.e. where are the DNS queries being sent)?

rob4u · February 5, 2019, 5:00pm

My VPS VPN IP which is working as a upstream DNS, why?

rob4u · February 5, 2019, 5:02pm

BTW I didn't have much confidence in my zgrep commands so I uncompressed the gz log files and did a grep, no entries were found in any of them.

jfb · February 5, 2019, 5:02pm

These queries are not from that client. They are queries looking for the IP of that domain. The IP address 127.0.0.1 (the Pi-Hole host) is asking for that domain. This doesn't indicate that you have been hacked, it indicates that some software on your network is looking for that domain. It is likely related to your VPN if you use a dynamic IP service to keep an IP for your VPN.

jfb · February 5, 2019, 5:05pm

The format for a zgrep is the same as for grep. This command will find all instances of the word microsoft in a gz formatted file.

sudo zgrep microsoft /var/log/pihole.log.3.gz

Feb  2 00:00:03 dnsmasq[31962]: query[A] mobile.pipe.aria.microsoft.com from 192.168.0.135
Feb  2 00:00:03 dnsmasq[31962]: /etc/pihole/black.list mobile.pipe.aria.microsoft.com is 0.0.0.0

rob4u · February 5, 2019, 5:07pm

I don't use a dynamic IP service on the VPN or knowingly anywhere on the local network. Makes sense this is not the client, how can I find out what's requesting this address?

jfb · February 5, 2019, 5:09pm

Since it appears to be coming from your Pi-Hole host device, I would install Wireshark or tcpdump on that device and see all the packets.

rob4u · February 5, 2019, 5:14pm

Will do.

Thank you so much for your time and expertise, greatly appreciated.

Best,

Rob

samsaint83 · February 12, 2019, 7:16am

You can simple run a malware test with (How to Get Free ZBIGZ Premium Accounts [Updated 2019] - FreeAccount) and see if you have been affected or hacked, you can also use http://isithacked.com/ to solve your issue.

Glaucus · March 5, 2019, 8:08pm

Hi, I have my upstream DNS configured only to Cloudflare and I'm seeing similar, concerning entries where Pihole appears to be suddenly fowarding DNS queries from localhost to a pppoe.lipetsk.ertelecom.ru domain as the upstream DNS. I haven't had a chance to comb through the entire log to see when the began, but I look at the Pihole web console fairly frequently, and I'd never seen this before today.

When I run the command suggested above by @jfb to search the log (sudo grep ertelecom.ru /var/log/pihole.log), here's several examples that come back, from just this morning. I've obviously never configured this ertelecom.ru as an upstream DNS:

Mar 5 01:00:01 dnsmasq[16412]: reply 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru
Mar 5 01:00:01 dnsmasq[16412]: cached 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru
Mar 5 02:00:01 dnsmasq[16412]: cached 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru
Mar 5 02:00:01 dnsmasq[16412]: reply 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru

I've checked both DNS settings in the web console, as well as these .conf files below, as well, and both only contain entries for Cloudflare (1.1.1.1 and 1.0.0.1) as the upstream DNS:
/etc/pihole/setupVars.conf
/etc/dnsmasq.d/01-pihole.conf

Any ideas? Nuke this pihole install from orbit? Could these be coming from something else on my network, even though they appear to be from localhost?

jfb · March 5, 2019, 8:14pm

What were the matching queries from local host? They appear to have been PTR requests, since Pi-Hole is replying with a domain name, not an IP.

I don't see anything in this log that would indicate that your upstream DNS has been changed.

Glaucus · March 5, 2019, 8:30pm

Thanks - looking a query history in the Web Console, I did see that these appear to be PTR requests - please help me out here, as a relative Pihole novice - does that mean it's instead receiving the request from an ertelecom.ru IP? My pihole is behind a router firewall and shouldn't be open to this query, and while I certainly can't rule out operator error, this being possible would be a shock to me.

What makes me worry that my upstream DNS had been hijacked somehow, though, is that two of these ertelecom.ru addreses show up in the "Forward Destinations" chart on the Dashboard. I see Cached, Blocklist, and 1.1.1.1 as you'd expect, but then also these two .ru addresses as forward destinations.

jfb · March 5, 2019, 8:47pm

Please post the lines of your /var/log/pihole.log that show the queries for this domain and the replies to the queries.

Glaucus · March 6, 2019, 3:08am

Sorry for the delay in responding - I've been away from my home network until now. Here's an example of what is happening every hour, on the hour, when Pihole does a PTR request, first for the gateway (192.168.1.1) and then for the DNS providers:

Mar 5 01:00:00 dnsmasq[16412]: query[PTR] 1.1.168.192.in-addr.arpa from 127.0.0.1
Mar 5 01:00:00 dnsmasq[16412]: config 192.168.1.1 is NXDOMAIN
Mar 5 01:00:00 dnsmasq[16412]: query[PTR] 0.92.235.188.in-addr.arpa from 127.0.0.1
Mar 5 01:00:00 dnsmasq[16412]: forwarded 0.92.235.188.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: dnssec-query[DS] 235.188.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: dnssec-query[DNSKEY] 188.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: reply 188.in-addr.arpa is DNSKEY keytag 29744, algo 8
Mar 5 01:00:01 dnsmasq[16412]: reply 188.in-addr.arpa is DNSKEY keytag 32904, algo 8
Mar 5 01:00:01 dnsmasq[16412]: reply 235.188.in-addr.arpa is no DS
Mar 5 01:00:01 dnsmasq[16412]: dnssec-query[DS] 92.235.188.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: reply 92.235.188.in-addr.arpa is no DS
Mar 5 01:00:01 dnsmasq[16412]: validation result is INSECURE
Mar 5 01:00:01 dnsmasq[16412]: reply 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru
Mar 5 01:00:01 dnsmasq[16412]: query[PTR] 0.92.235.188.in-addr.arpa from 127.0.0.1
Mar 5 01:00:01 dnsmasq[16412]: cached 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru
Mar 5 01:00:01 dnsmasq[16412]: query[PTR] 1.0.0.1.in-addr.arpa from 127.0.0.1
Mar 5 01:00:01 dnsmasq[16412]: forwarded 1.0.0.1.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: validation result is INSECURE
Mar 5 01:00:01 dnsmasq[16412]: reply 1.0.0.1 is one.one.one.one
Mar 5 01:00:01 dnsmasq[16412]: query[PTR] 1.1.1.1.in-addr.arpa from 127.0.0.1
Mar 5 01:00:01 dnsmasq[16412]: forwarded 1.1.1.1.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: validation result is INSECURE
Mar 5 01:00:01 dnsmasq[16412]: reply 1.1.1.1 is one.one.one.one

When I grep the log for 188.235.92.0, it only has entries for these PTR requests coming from the pihole itself. I'm not running DHCP on Pihole, and my router is the type that forwards the DNS requests to Pihole from every device as if they're coming from the gateway itself. Even still, if a PTR request were coming from another device, this would show up as coming from 192.168.1.1.

nn_m · March 14, 2019, 3:52am

While I can't add a solution to this thread, I would ask the O.P. "do you live in ru" or "is your isp based in .ru?" As posted, it is hard to know if .ru is considered evidence of a hack, or just a basic bit of information found in the log files and pi-hole output.

Also, there are numerous threads here about very similar chains of logged info featuring wpad and wpad.re1.state.company.net paired with 127.0.0.1.

Reading thru those may shed some light. (And the above has shed light on my understanding of the wpad problem).

Cheers!