forum.excito.com

Hello,

I'm having problems with DNS myownb3.com.
It seams not to be working anymore....
3 addresses of my b3 bubba's are not accessable anymore.

Is this service stopped?

Thanks in advance.

Puma

I've same issue with many B3. I think that hacked Easy DNS!!!

My URL redirect on fake websites:

https://safewarns.com/?subid=-1&clickid ... 8153117193
https://www.textifier.net/

etc...

Yes its weird when i nslookup i get same ipaddresses....
down or hacked?

redirected to
159.69.42.212
159.69.83.207
159.69.186.9
95.216.161.60

Was still working earlier this morning. I ran some updates on my parents' B3. Random pings now give me three (so far) out of the pool posted by Puma. As far as I can tell the easyfind service itself does not appear to be compromised, they just seem to have taken control of the myownb3.com domain which is most likely an upstream problem. They do appear to be fishing for credentials though as their servers do expose port 22. Strangely when targetting the non-secure http port 80 it appears to return a sort of valid data that states that the myownb3.com domain is free for purchase. Unsure if that may be related to this forum post: http://forum.excito.com/viewtopic.php?f=1&p=29026

It appears that the domain registration for myownb3.com has expired either intentionally or unintentionally. The whois record indicates that there was a new registration for the domain on 2019-09-16 and that it was updated yesterday 2019-09-21.

It appears to have been taken over by some domain squatter now. The new owner appears to have a wildcard dns record in place which directs any hostname to the same ip number.

But will not be solved?!

I was afraid that might have happened. Still unsure whether this domain was still registered to Johannes like the mybubba.org domain and dropped alongside it or if this was an oversight from Rodeus. Hopefully Charles will be able to tell us more in a short while.

I have the same problem.
The domain is for sale?
That is saying.

josvergeer wrote: ↑23 Sep 2019, 08:51 I have the same problem.
The domain is for sale?

Not exactly. I did some querying in historical domain data and it looks like the domain was never owned by Rodeus. When the domain registration expired on September 16, 2019, it was instantly purchased by an online service provider that has no intention to sell the domain but to sell hosting combined with the use of the myownb3.com domain name. It seems unlikely that the new owner is aware of what this domain was used for and that his intended use therefore is not going to happen. Still, the current registration is valid for one year, until September 16, 2020 and that means that if Rodeus wants to continue this service we will be needing a new domain name.

Hello guys,

Well that is unfortunate. Let me get some information and I'll get back to you.

HELP!!!!!!!!!!! HELP!!!!!!!!!!!!!!!

I have 2 ARM B3 hacked, I think that depends by this myownbe.com problem.

I cna't connect in ssh mode with putty tell me nettwork error: connection refused. MySql Database not working I have many customer in fail!!!

thunder wrote: ↑24 Sep 2019, 13:28 HELP!!!!!!!!!!! HELP!!!!!!!!!!!!!!!

I have 2 ARM B3 hacked, I think that depends by this myownbe.com problem.

I cna't connect in ssh mode with putty tell me nettwork error: connection refused. MySql Database not working I have many customer in fail!!!

Calm down. They're not hacked. The problem is that the myownb3.com DNS names now resolve to a different IP address than where your B3s are at. Yes that is annoying, but it currently can't be helpen.

@MouettE
Would it be possible to extend the easyfind API to return the IP address associated with a specific name? That would at least allow us to query the address and possibly use that in a service that updates the local hosts file.

This is my log form web
Yesterday I have change with noip service my dns but from 14:20 noip not receive nothing. I'have fail2ban installed help me

LOG:
Sep 24 14:23:52 CRM sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/bin/chown www-data -R /
Sep 24 14:24:01 CRM CRON[18395]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 24 14:24:01 CRM CRON[18399]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 24 14:24:01 CRM CRON[18398]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 24 14:24:01 CRM CRON[18397]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 24 14:24:01 CRM CRON[18396]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 24 14:24:03 CRM CRON[18395]: pam_unix(cron:session): session closed for user root
Sep 24 14:24:05 CRM CRON[18398]: pam_unix(cron:session): session closed for user root
Sep 24 14:24:05 CRM CRON[18396]: pam_unix(cron:session): session closed for user root
Sep 24 14:24:05 CRM CRON[18399]: pam_unix(cron:session): session closed for user root
Sep 24 14:24:05 CRM CRON[18397]: pam_unix(cron:session): session closed for user root
Sep 24 14:24:17 CRM sudo: root : /etc/sudoers is owned by uid 33, should be 0 ; TTY=unknown ; PWD=/root ; COMMAND=chgrp
Sep 24 14:24:17 CRM sudo: root : no valid sudoers sources found, quitting ; TTY=unknown ; PWD=/root ; COMMAND=chgrp
Sep 24 14:24:17 CRM sudo: root : /etc/sudoers is owned by uid 33, should be 0 ; TTY=unknown ; PWD=/root ; COMMAND=chmod
Sep 24 14:24:17 CRM sudo: root : no valid sudoers sources found, quitting ; TTY=unknown ; PWD=/root ; COMMAND=chmod
Sep 24 14:24:18 CRM CRON[17841]: pam_unix(cron:session): session closed for user root

I think that my error is on make www-data as sudo user. It's possible take the control from that?:

Sep 24 14:24:17 CRM sudo: root : /etc/sudoers is owned by uid 33, should be 0 ; TTY=unknown ; PWD=/root ; COMMAND=chgrp
Sep 24 14:24:17 CRM sudo: root : no valid sudoers sources found, quitting ; TTY=unknown ; PWD=/root ; COMMAND=chgrp
Sep 24 14:24:17 CRM sudo: root : /etc/sudoers is owned by uid 33, should be 0 ; TTY=unknown ; PWD=/root ; COMMAND=chmod
Sep 24 14:24:17 CRM sudo: root : no valid sudoers sources found, quitting ; TTY=unknown ; PWD=/root ; COMMAND=chmod

thunder wrote: ↑24 Sep 2019, 13:54 Sep 24 14:23:52 CRM sudo: root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/bin/chown www-data -R /

????

Okay, that looks like someone was able to inject arbitrary code through some web based (CRM?) application and as you allowed the www user to sudo the chown command they now own your system. This of course has nothing to do with the DNS service no longer functioning because the domain was transferred to another owner, but it might be related to the hacker monitoring noip registrations expecting to be able to find whatever prompts you to use that service.

Can't really offer any more help. You will need to get to the system and repair it and improve security so that it won't happen again. Since your issue is not related to this particular topic, should you require more help or pointers on solving your issue, then please open your own topic either here or if applicable on the support forum of the web based application that allowed this breach.