Have I been hacked?


#21

In your network it is requested what domain belongs to a IP address.

It can be any device in your network.

See: https://discourse.pi-hole.net/t/have-i-been-hacked/16802/12


#22

Please post the lines of your /var/log/pihole.log that show the queries for this domain and the replies to the queries.


#23

Sorry for the delay in responding - I’ve been away from my home network until now. Here’s an example of what is happening every hour, on the hour, when Pihole does a PTR request, first for the gateway (192.168.1.1) and then for the DNS providers:

Mar 5 01:00:00 dnsmasq[16412]: query[PTR] 1.1.168.192.in-addr.arpa from 127.0.0.1
Mar 5 01:00:00 dnsmasq[16412]: config 192.168.1.1 is NXDOMAIN
Mar 5 01:00:00 dnsmasq[16412]: query[PTR] 0.92.235.188.in-addr.arpa from 127.0.0.1
Mar 5 01:00:00 dnsmasq[16412]: forwarded 0.92.235.188.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: dnssec-query[DS] 235.188.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: dnssec-query[DNSKEY] 188.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: reply 188.in-addr.arpa is DNSKEY keytag 29744, algo 8
Mar 5 01:00:01 dnsmasq[16412]: reply 188.in-addr.arpa is DNSKEY keytag 32904, algo 8
Mar 5 01:00:01 dnsmasq[16412]: reply 235.188.in-addr.arpa is no DS
Mar 5 01:00:01 dnsmasq[16412]: dnssec-query[DS] 92.235.188.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: reply 92.235.188.in-addr.arpa is no DS
Mar 5 01:00:01 dnsmasq[16412]: validation result is INSECURE
Mar 5 01:00:01 dnsmasq[16412]: reply 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru
Mar 5 01:00:01 dnsmasq[16412]: query[PTR] 0.92.235.188.in-addr.arpa from 127.0.0.1
Mar 5 01:00:01 dnsmasq[16412]: cached 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru
Mar 5 01:00:01 dnsmasq[16412]: query[PTR] 1.0.0.1.in-addr.arpa from 127.0.0.1
Mar 5 01:00:01 dnsmasq[16412]: forwarded 1.0.0.1.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: validation result is INSECURE
Mar 5 01:00:01 dnsmasq[16412]: reply 1.0.0.1 is one.one.one.one
Mar 5 01:00:01 dnsmasq[16412]: query[PTR] 1.1.1.1.in-addr.arpa from 127.0.0.1
Mar 5 01:00:01 dnsmasq[16412]: forwarded 1.1.1.1.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: validation result is INSECURE
Mar 5 01:00:01 dnsmasq[16412]: reply 1.1.1.1 is one.one.one.one

When I grep the log for 188.235.92.0, it only has entries for these PTR requests coming from the pihole itself. I’m not running DHCP on Pihole, and my router is the type that forwards the DNS requests to Pihole from every device as if they’re coming from the gateway itself. Even still, if a PTR request were coming from another device, this would show up as coming from 192.168.1.1.


#24

While I can’t add a solution to this thread, I would ask the O.P. "do you live in ru" or “is your isp based in .ru?” As posted, it is hard to know if .ru is considered evidence of a hack, or just a basic bit of information found in the log files and pi-hole output.

Also, there are numerous threads here about very similar chains of logged info featuring wpad and wpad.re1.state.company.net paired with 127.0.0.1.

Reading thru those may shed some light. (And the above has shed light on my understanding of the wpad problem).

Cheers!