I have found that some A records are added to DNS zones. Since it is in ISPConfig database, I thought this is a security issue related to ISPConfig. How can someone enter alter DNS information, how can I prevent further hacking. the records are as follows (from mysql database) (every A record is for different zones) 31479487.dns A 67.15.35.113 31504658.dns A 67.15.35.113 31260648.dns A 67.15.35.113 31479967.dns A 67.15.35.113 31405315.dns A 67.15.35.113 31393250.dns A 67.15.35.113 34241653.dns A 67.15.35.113 32731648.dns A 67.15.35.113 31333008.dns A 67.15.35.113
I'am not aware yet of any such issue in ispconfig. It might be that someone just got access to the mysql database or that someone knows the password of a admin, client or reseller account of your ispconfig installation and used that to add the data. Is the dns module enabled for any of your clients or resellers in ispconfig or do you manage the dns records for your clients? Is the target IP address of the A-Records one of your servers? You can try to find out when the records got added by looking into the sys_datalog table in the ispconfig database, this table conatains all configuration transactions.
And oone more question, which ISPConfig version do you use and which Linux Distribution and have you added any remote users in ispconfig?
I use ubuntu 11.10 and ISPConfig 3.0.4.6 I manage DNS records for customers. there is one remote user for integration, but it is only used by local CMS in server. Server does not use SSL connection for ISPConfig. the target IP address does not belong to my servers. I haven't used them before. I erased all suspicous A records from panel. and changed admin password. However I am not comfortable enough to say that everything is secure.
I executed following query in sys_datalog and it does not return results for modifiying A records SELECT * FROM `sys_datalog` where `data` like '%67.15.35.113%' it just show delete actions, done by me.
Ok, then the records have either been added more then 30 days ago as the log keeps only records forbthis timespan or they have been added trough a direct mysql access and not trogh the ispconfig interface as ispconfig creates a datalog record for every change as you have seen for your delete actions.
