1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

possible DNS-rebind attack detected: victek.is-a-geek.com

Discussion in 'Tomato Firmware' started by javilin, Apr 3, 2012.

  1. javilin

    javilin Addicted to LI Member

    This can be
    out several times in the log

    daemon.warn dnsmasq[25157]: possible DNS-rebind attack detected: victek.is-a-geek.com

    [​IMG]
     
  2. javilin

    javilin Addicted to LI Member

    is continuous

    Apr 3 09:52:53 Asus daemon.warn dnsmasq[25157]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 3 09:53:27 Asus daemon.warn dnsmasq[25157]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 3 10:00:01 Asus syslog.info root: -- MARK --
    Apr 3 10:10:37 Asus daemon.warn dnsmasq[25157]: possible DNS-rebind attack detected: victek.is-a-geek.com


    means that collecting data,

    but is down url
    http://victek.is-a-geek.com
     
  3. guran

    guran Serious Server Member

    The only thing I can do is to confirm what you're saying. I wanted to read a little about Victeks Tomato firmware but I cant reach the site and the log files on my router give the same messages as for you.
     
  4. ArCan

    ArCan Networkin' Nut Member

    A LOT OF SAME MESSAGES !
    ...
    Apr 3 13:51:56 daemon.warn dnsmasq[10104]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 3 13:51:56 daemon.warn dnsmasq[10104]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 3 13:56:25 daemon.warn dnsmasq[10104]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 3 13:56:25 daemon.warn dnsmasq[10104]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 3 14:00:00 daemon.warn dnsmasq[10104]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 3 14:00:00 daemon.warn dnsmasq[10104]: possible DNS-rebind attack detected: victek.is-a-geek.com
    ...

    But I never went to the VICTEK.IS-A-GEEK.COM !!!

    Any idea about this situation?
    My router connect with VICTEK.IS-A-GEEK.COM itself?
    What for?
    May be for to inform "victek" about my credit card number
    or only to see the pictures of my wife?
    :)

    P.S. I can't go to victek.is-a-geek.com direct,
    but I CAN do it via OS's VPN,
    because the router "doesn't know" about my path,
    and doesn't refuse the connection. I think...
     
  5. Elbart

    Elbart LI Guru Member

    Code:
    C:\dig>dig @8.8.8.8 victek.is-a-geek.com
    
    ; <<>> DiG 9.3.2 <<>> @8.8.8.8 victek.is-a-geek.com
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 967
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;victek.is-a-geek.com.          IN      A
    
    ;; ANSWER SECTION:
    victek.is-a-geek.com.   60      IN      A       172.16.63.58
    
    ;; Query time: 55 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Tue Apr 03 20:35:05 2012
    ;; MSG SIZE  rcvd: 54
    172.16.x.y is a private IP. ;)
     
  6. ArCan

    ArCan Networkin' Nut Member

    is-a-geek.com it is DDNS service...
     
  7. Elbart

    Elbart LI Guru Member

    So?
    The address resolves to a private (read: non-routable) IP-address, like 10.x.y.z or 192.168.x.y. It is not reachable for anybody outside that network. That's the "rebind attack".
    Bad enough that the service is accepting such an address in the first place.
     
  8. ArCan

    ArCan Networkin' Nut Member

    In some NVRAM dump I can see same web-site name
    "...
    NC_AllowedWebHosts=www.victek.is-a-geek.com
    NC_DocumentRoot=/tmp/splashd
    NC_ExcludePorts=1863
    NC_ForcedRedirect=0
    NC_GatewayMode=Open
    NC_GatewayName=Tomato Captive Portal
    NC_GatewayPort=5280
    NC_HomePage=http://victek.is-a-geek.com
    NC_IdleTimeout=0
    NC_LoginTimeout=3600
    NC_MaxMissedARP=5
    NC_PeerChecktimeout=0
    NC_RenewTimeout=0
    NC_Verbosity=2
    NC_enable=0
    ..."
    But ever I don't have these lines in NVRAM
    I still have "possible DNS-rebind attack detected: victek.is-a-geek.com" in log...
     
  9. javilin

    javilin Addicted to LI Member

    Captive Portal not activated

    Apr 3 20:08:23 Asus user.info sd-idle[395]: spinning up /dev/sda after 6 mins 31 secs
    Apr 3 20:14:13 Asus daemon.warn dnsmasq[707]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 3 20:32:53 Asus user.info sd-idle[395]: spinning down /dev/sda after 24 mins 30 secs
    Apr 3 20:42:50 Asus daemon.warn dnsmasq[707]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 3 20:44:54 Asus user.info sd-idle[395]: spinning up /dev/sda after 12 mins 1 secs


    when the web url does not get the log and send data.
     
  10. ArCan

    ArCan Networkin' Nut Member

    OK. If I understand right
    the IP of victek.is-a-geek.com is the reason for message "possible DNS-rebind attack detected: victek.is-a-geek.com",
    but the question still without answer:
    "Why and what for, the firmware try to connect to "victek.is-a-geek.com"?"
    Repeat, even nobody to surf web victek.is-a-geek.com or even use internet at all!
     
  11. javilin

    javilin Addicted to LI Member

    UPDATE...

    The good thing also happens in Tomato Toastman, it would have to look at.

    "Why and what for, the firmware try to connect to "victek.is-a-geek.com"?"
     
  12. Elbart

    Elbart LI Guru Member

    You sure those entries aren't the attempts to visit Victek's page? I got those entries here, too, but only when I checked the DNS etc.

    If anybody got the source code of Victek's mod, you'd maybe see why it's trying to connect to the website. Update-check? I don't know.
     
  13. javilin

    javilin Addicted to LI Member

    I only see this victek.is-a-geek.com
     
  14. javilin

    javilin Addicted to LI Member

    it has stopped the log, the web works, is sending hidden data
    http://victek.is-a-geek.com/

    Apr 3 23:40:04 Asus daemon.warn dnsmasq[707]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 3 23:40:24 Asus daemon.warn dnsmasq[707]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 4 00:00:01 Asus syslog.info root: -- MARK --
    Apr 4 00:01:14 Asus daemon.warn dnsmasq[707]: possible DNS-rebind attack detected: victek.is-a-geek.com
    Apr 4 00:06:06 Asus user.info sd-idle[382]: spinning down /dev/sda after 40 mins 30 secs


    last: Apr 4 - 00:01:14
     
  15. Elbart

    Elbart LI Guru Member

    Can't find the sourcecode on the website either.
     
  16. shibby20

    shibby20 Network Guru Member

    all of you have tomato with Captive Portal? If yes, try enable captive portal, change allowed web and homepage, disable captive portal and save. Should help.

    i haven`t integraded Captive Portal in my build (BT-VPN) and i haven`t this "attack" messages.
     
  17. javilin

    javilin Addicted to LI Member

    see the message only when victek.is-a-geek.com is offline

    use version without nocat
     
  18. Toastman

    Toastman Super Moderator Staff Member Member

    I've never seen them either.

    Javelin, are you saying this happens in my Portal builds too? Captive portal has been in some of the build versions for a very long time and nothing has been changed.
     
  19. javilin

    javilin Addicted to LI Member

    I use it a long time but seeing it in version,

    Tomato Firmware v1.28.7497 MIPSR2-Toastman-VLAN-RT K26 USB VPN-NOCAT

    see the message only when victek.is-a-geek.com is offline
     
  20. Toastman

    Toastman Super Moderator Staff Member Member

    Then it's *probably* not anything to do with the firmware... because nothing has changed for years. But what on earth it could be - I have no idea.
     
  21. javilin

    javilin Addicted to LI Member

    that never failed-a-geek.com victek.is and no chance of looking at the log
    You will have to do with the mod.

    I better change to version nocat
     
  22. Elbart

    Elbart LI Guru Member

    Well, of course these errors would be in the log, because the dnsmasq in the router is trying to resolve the domain and when it resolves to a private IP, as it happened whenever I pinged it or tried to open it in the browser, there would be another entry in the error-log regarding a "rebind attack".

    So those who have seen it in the logs in times where they can rule out that they were the ones trying to access the website, i.e. in the middle of the night or so, then there'd be a reason to be worried, I guess.

    javilin: Your postings are really difficult to understand. :(
     
  23. javilin

    javilin Addicted to LI Member

    sorry, my English is 0
     

Share This Page