Products > Programming

Mystery process adding "options rotate" to resolv.conf file

(1/7) > >>

peter-h:
I have a server, centos / nginx, whose content is just static html. No PHP, etc. No interactive stuff. No JS sent to the client browser.

I have a guy who looks after some sites for me. He is pretty familiar with unix stuff and databases...

The server has a cron job which pings a healthcheck site every hour so we can see if the server is down. The websites on it work but this ping stopped a month ago.

Something is messing with the resolv.conf file. It was found to contain no nameserver entries (which presumably is why pinging hc-ping.com was failing) and contains some 80000 lines with "options rotate", one being added every 80 seconds.

But there is no cron job doing this. But there must be a "script" somewhere which is running. But where?

The server is a virtual server and was originally set up about 20 years ago. It was updated to latest OS maybe 10 years ago.

Access (updates) is done with rsync, from a local copy held on a PC. There is also sftp and ftp access.

Does this ring a bell with anyone? It could be an attack (which failed to do much) or it could be some accident.

madires:
Could be some DHCP automation gone wild. A 'cd /etc' and 'grep -R "options rotate"' might find the source.

magic:
You could start with something like fuser or lsof to see if any process has this file opened constantly.
Unfortunately, I don't know how to wait for some process to open a file and log which process it was.

You could also make the file read only and see if it helps and see if any daemon logs errors because of it.

I'm a big sys*^&d hater so it surely must be this POS gone rogue, somehow :-DD

peter-h:
Thank you :)

A partial success: /etc/dhcp/dhclient-exit-hooks. Supposedly it runs whenver dhcp gets or loses IP address. Currently it does echo 'options rotate' >> /etc/resolv.conf. Now why would somebody have set this up?

The file was set to R/O.

Doesn't sound like a hacker because a hacker with that access could have done much more damage.

The DNS IP disappeared from that file around 21 Nov 2024.

Turns out that an image restore was performed on that server on that day. It was done to reverse some experimental work on directory listing privileges. Why the restored image buggered up that DNS IP file, is a mystery.

Anyway, this has provided an excuse for some cleanup work, like log rotation, and removing no longer used services like pop boxes :)

Postal2:

--- Quote from: peter-h on January 11, 2025, 10:23:07 pm ---... Why the restored image buggered up that DNS IP file, is a mystery. ...

--- End quote ---
What "mysteries" can there be if you restore the system from an image and it does not boot after that.

It's clear that toothbrushes and plunger are to blame for everything.

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod